xref: /freebsd/crypto/openssh/sshd_config.5 (revision f374ba41f55c1a127303d92d830dd58eef2f5243)
1545d5ecaSDag-Erling Smørgrav.\"
2545d5ecaSDag-Erling Smørgrav.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
3545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4545d5ecaSDag-Erling Smørgrav.\"                    All rights reserved
5545d5ecaSDag-Erling Smørgrav.\"
6545d5ecaSDag-Erling Smørgrav.\" As far as I am concerned, the code I have written for this software
7545d5ecaSDag-Erling Smørgrav.\" can be used freely for any purpose.  Any derived versions of this
8545d5ecaSDag-Erling Smørgrav.\" software must be clearly marked as such, and if the derived work is
9545d5ecaSDag-Erling Smørgrav.\" incompatible with the protocol description in the RFC file, it must be
10545d5ecaSDag-Erling Smørgrav.\" called by a name other than "ssh" or "Secure Shell".
11545d5ecaSDag-Erling Smørgrav.\"
12545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
13545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
14545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
15545d5ecaSDag-Erling Smørgrav.\"
16545d5ecaSDag-Erling Smørgrav.\" Redistribution and use in source and binary forms, with or without
17545d5ecaSDag-Erling Smørgrav.\" modification, are permitted provided that the following conditions
18545d5ecaSDag-Erling Smørgrav.\" are met:
19545d5ecaSDag-Erling Smørgrav.\" 1. Redistributions of source code must retain the above copyright
20545d5ecaSDag-Erling Smørgrav.\"    notice, this list of conditions and the following disclaimer.
21545d5ecaSDag-Erling Smørgrav.\" 2. Redistributions in binary form must reproduce the above copyright
22545d5ecaSDag-Erling Smørgrav.\"    notice, this list of conditions and the following disclaimer in the
23545d5ecaSDag-Erling Smørgrav.\"    documentation and/or other materials provided with the distribution.
24545d5ecaSDag-Erling Smørgrav.\"
25545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26545d5ecaSDag-Erling Smørgrav.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27545d5ecaSDag-Erling Smørgrav.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28545d5ecaSDag-Erling Smørgrav.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29545d5ecaSDag-Erling Smørgrav.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30545d5ecaSDag-Erling Smørgrav.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31545d5ecaSDag-Erling Smørgrav.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32545d5ecaSDag-Erling Smørgrav.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33545d5ecaSDag-Erling Smørgrav.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35545d5ecaSDag-Erling Smørgrav.\"
36*f374ba41SEd Maste.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $
37*f374ba41SEd Maste.Dd $Mdocdate: January 18 2023 $
38545d5ecaSDag-Erling Smørgrav.Dt SSHD_CONFIG 5
39545d5ecaSDag-Erling Smørgrav.Os
40545d5ecaSDag-Erling Smørgrav.Sh NAME
41545d5ecaSDag-Erling Smørgrav.Nm sshd_config
4219261079SEd Maste.Nd OpenSSH daemon configuration file
43545d5ecaSDag-Erling Smørgrav.Sh DESCRIPTION
44333ee039SDag-Erling Smørgrav.Xr sshd 8
45545d5ecaSDag-Erling Smørgravreads configuration data from
46545d5ecaSDag-Erling Smørgrav.Pa /etc/ssh/sshd_config
47545d5ecaSDag-Erling Smørgrav(or the file specified with
48545d5ecaSDag-Erling Smørgrav.Fl f
49545d5ecaSDag-Erling Smørgravon the command line).
50545d5ecaSDag-Erling SmørgravThe file contains keyword-argument pairs, one per line.
5147dd1d1bSDag-Erling SmørgravFor each keyword, the first obtained value will be used.
52545d5ecaSDag-Erling SmørgravLines starting with
53545d5ecaSDag-Erling Smørgrav.Ql #
54545d5ecaSDag-Erling Smørgravand empty lines are interpreted as comments.
55333ee039SDag-Erling SmørgravArguments may optionally be enclosed in double quotes
56333ee039SDag-Erling Smørgrav.Pq \&"
57333ee039SDag-Erling Smørgravin order to represent arguments containing spaces.
58545d5ecaSDag-Erling Smørgrav.Pp
59545d5ecaSDag-Erling SmørgravThe possible
60545d5ecaSDag-Erling Smørgravkeywords and their meanings are as follows (note that
61545d5ecaSDag-Erling Smørgravkeywords are case-insensitive and arguments are case-sensitive):
62545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds
6321e764dfSDag-Erling Smørgrav.It Cm AcceptEnv
6421e764dfSDag-Erling SmørgravSpecifies what environment variables sent by the client will be copied into
6521e764dfSDag-Erling Smørgravthe session's
6621e764dfSDag-Erling Smørgrav.Xr environ 7 .
6721e764dfSDag-Erling SmørgravSee
6821e764dfSDag-Erling Smørgrav.Cm SendEnv
69190cef3dSDag-Erling Smørgravand
70190cef3dSDag-Erling Smørgrav.Cm SetEnv
7121e764dfSDag-Erling Smørgravin
7221e764dfSDag-Erling Smørgrav.Xr ssh_config 5
7321e764dfSDag-Erling Smørgravfor how to configure the client.
74acc1a9efSDag-Erling SmørgravThe
75557f75e5SDag-Erling Smørgrav.Ev TERM
76190cef3dSDag-Erling Smørgravenvironment variable is always accepted whenever the client
77557f75e5SDag-Erling Smørgravrequests a pseudo-terminal as it is required by the protocol.
7821e764dfSDag-Erling SmørgravVariables are specified by name, which may contain the wildcard characters
79333ee039SDag-Erling Smørgrav.Ql *
8021e764dfSDag-Erling Smørgravand
8121e764dfSDag-Erling Smørgrav.Ql \&? .
8221e764dfSDag-Erling SmørgravMultiple environment variables may be separated by whitespace or spread
8321e764dfSDag-Erling Smørgravacross multiple
8421e764dfSDag-Erling Smørgrav.Cm AcceptEnv
8521e764dfSDag-Erling Smørgravdirectives.
8621e764dfSDag-Erling SmørgravBe warned that some environment variables could be used to bypass restricted
8721e764dfSDag-Erling Smørgravuser environments.
8821e764dfSDag-Erling SmørgravFor this reason, care should be taken in the use of this directive.
8921e764dfSDag-Erling SmørgravThe default is not to accept any environment variables.
90aa49c926SDag-Erling Smørgrav.It Cm AddressFamily
91aa49c926SDag-Erling SmørgravSpecifies which address family should be used by
92333ee039SDag-Erling Smørgrav.Xr sshd 8 .
93aa49c926SDag-Erling SmørgravValid arguments are
94ca86bcf2SDag-Erling Smørgrav.Cm any
95ca86bcf2SDag-Erling Smørgrav(the default),
96ca86bcf2SDag-Erling Smørgrav.Cm inet
97333ee039SDag-Erling Smørgrav(use IPv4 only), or
98ca86bcf2SDag-Erling Smørgrav.Cm inet6
99aa49c926SDag-Erling Smørgrav(use IPv6 only).
100d4af9e69SDag-Erling Smørgrav.It Cm AllowAgentForwarding
101d4af9e69SDag-Erling SmørgravSpecifies whether
102d4af9e69SDag-Erling Smørgrav.Xr ssh-agent 1
103d4af9e69SDag-Erling Smørgravforwarding is permitted.
104d4af9e69SDag-Erling SmørgravThe default is
105ca86bcf2SDag-Erling Smørgrav.Cm yes .
106d4af9e69SDag-Erling SmørgravNote that disabling agent forwarding does not improve security
107d4af9e69SDag-Erling Smørgravunless users are also denied shell access, as they can always install
108d4af9e69SDag-Erling Smørgravtheir own forwarders.
109545d5ecaSDag-Erling Smørgrav.It Cm AllowGroups
110545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of group name patterns, separated
111545d5ecaSDag-Erling Smørgravby spaces.
112545d5ecaSDag-Erling SmørgravIf specified, login is allowed only for users whose primary
113545d5ecaSDag-Erling Smørgravgroup or supplementary group list matches one of the patterns.
114545d5ecaSDag-Erling SmørgravOnly group names are valid; a numerical group ID is not recognized.
115545d5ecaSDag-Erling SmørgravBy default, login is allowed for all groups.
11619261079SEd MasteThe allow/deny groups directives are processed in the following order:
117333ee039SDag-Erling Smørgrav.Cm DenyGroups ,
118333ee039SDag-Erling Smørgrav.Cm AllowGroups .
119333ee039SDag-Erling Smørgrav.Pp
120e4a9863fSDag-Erling SmørgravSee PATTERNS in
121333ee039SDag-Erling Smørgrav.Xr ssh_config 5
122333ee039SDag-Erling Smørgravfor more information on patterns.
123a0ee8cc6SDag-Erling Smørgrav.It Cm AllowStreamLocalForwarding
124a0ee8cc6SDag-Erling SmørgravSpecifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
125a0ee8cc6SDag-Erling SmørgravThe available options are
126ca86bcf2SDag-Erling Smørgrav.Cm yes
127ca86bcf2SDag-Erling Smørgrav(the default)
128a0ee8cc6SDag-Erling Smørgravor
129ca86bcf2SDag-Erling Smørgrav.Cm all
130a0ee8cc6SDag-Erling Smørgravto allow StreamLocal forwarding,
131ca86bcf2SDag-Erling Smørgrav.Cm no
132a0ee8cc6SDag-Erling Smørgravto prevent all StreamLocal forwarding,
133ca86bcf2SDag-Erling Smørgrav.Cm local
134a0ee8cc6SDag-Erling Smørgravto allow local (from the perspective of
135a0ee8cc6SDag-Erling Smørgrav.Xr ssh 1 )
136a0ee8cc6SDag-Erling Smørgravforwarding only or
137ca86bcf2SDag-Erling Smørgrav.Cm remote
138a0ee8cc6SDag-Erling Smørgravto allow remote forwarding only.
139a0ee8cc6SDag-Erling SmørgravNote that disabling StreamLocal forwarding does not improve security unless
140a0ee8cc6SDag-Erling Smørgravusers are also denied shell access, as they can always install their
141a0ee8cc6SDag-Erling Smørgravown forwarders.
142ca86bcf2SDag-Erling Smørgrav.It Cm AllowTcpForwarding
143ca86bcf2SDag-Erling SmørgravSpecifies whether TCP forwarding is permitted.
144ca86bcf2SDag-Erling SmørgravThe available options are
145ca86bcf2SDag-Erling Smørgrav.Cm yes
146ca86bcf2SDag-Erling Smørgrav(the default)
147ca86bcf2SDag-Erling Smørgravor
148ca86bcf2SDag-Erling Smørgrav.Cm all
149ca86bcf2SDag-Erling Smørgravto allow TCP forwarding,
150ca86bcf2SDag-Erling Smørgrav.Cm no
151ca86bcf2SDag-Erling Smørgravto prevent all TCP forwarding,
152ca86bcf2SDag-Erling Smørgrav.Cm local
153ca86bcf2SDag-Erling Smørgravto allow local (from the perspective of
154ca86bcf2SDag-Erling Smørgrav.Xr ssh 1 )
155ca86bcf2SDag-Erling Smørgravforwarding only or
156ca86bcf2SDag-Erling Smørgrav.Cm remote
157ca86bcf2SDag-Erling Smørgravto allow remote forwarding only.
158ca86bcf2SDag-Erling SmørgravNote that disabling TCP forwarding does not improve security unless
159ca86bcf2SDag-Erling Smørgravusers are also denied shell access, as they can always install their
160ca86bcf2SDag-Erling Smørgravown forwarders.
161545d5ecaSDag-Erling Smørgrav.It Cm AllowUsers
162545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of user name patterns, separated
163545d5ecaSDag-Erling Smørgravby spaces.
164e73e9afaSDag-Erling SmørgravIf specified, login is allowed only for user names that
165545d5ecaSDag-Erling Smørgravmatch one of the patterns.
166545d5ecaSDag-Erling SmørgravOnly user names are valid; a numerical user ID is not recognized.
167545d5ecaSDag-Erling SmørgravBy default, login is allowed for all users.
168545d5ecaSDag-Erling SmørgravIf the pattern takes the form USER@HOST then USER and HOST
169545d5ecaSDag-Erling Smørgravare separately checked, restricting logins to particular
170545d5ecaSDag-Erling Smørgravusers from particular hosts.
171076ad2f8SDag-Erling SmørgravHOST criteria may additionally contain addresses to match in CIDR
172076ad2f8SDag-Erling Smørgravaddress/masklen format.
17319261079SEd MasteThe allow/deny users directives are processed in the following order:
174333ee039SDag-Erling Smørgrav.Cm DenyUsers ,
17519261079SEd Maste.Cm AllowUsers .
176333ee039SDag-Erling Smørgrav.Pp
177e4a9863fSDag-Erling SmørgravSee PATTERNS in
178333ee039SDag-Erling Smørgrav.Xr ssh_config 5
179333ee039SDag-Erling Smørgravfor more information on patterns.
1806888a9beSDag-Erling Smørgrav.It Cm AuthenticationMethods
1816888a9beSDag-Erling SmørgravSpecifies the authentication methods that must be successfully completed
1826888a9beSDag-Erling Smørgravfor a user to be granted access.
183190cef3dSDag-Erling SmørgravThis option must be followed by one or more lists of comma-separated
184076ad2f8SDag-Erling Smørgravauthentication method names, or by the single string
185ca86bcf2SDag-Erling Smørgrav.Cm any
186076ad2f8SDag-Erling Smørgravto indicate the default behaviour of accepting any single authentication
187076ad2f8SDag-Erling Smørgravmethod.
188ca86bcf2SDag-Erling SmørgravIf the default is overridden, then successful authentication requires
189076ad2f8SDag-Erling Smørgravcompletion of every method in at least one of these lists.
1906888a9beSDag-Erling Smørgrav.Pp
191ca86bcf2SDag-Erling SmørgravFor example,
192ca86bcf2SDag-Erling Smørgrav.Qq publickey,password publickey,keyboard-interactive
1936888a9beSDag-Erling Smørgravwould require the user to complete public key authentication, followed by
1946888a9beSDag-Erling Smørgraveither password or keyboard interactive authentication.
1956888a9beSDag-Erling SmørgravOnly methods that are next in one or more lists are offered at each stage,
196ca86bcf2SDag-Erling Smørgravso for this example it would not be possible to attempt password or
1976888a9beSDag-Erling Smørgravkeyboard-interactive authentication before public key.
1986888a9beSDag-Erling Smørgrav.Pp
199e4a9863fSDag-Erling SmørgravFor keyboard interactive authentication it is also possible to
200e4a9863fSDag-Erling Smørgravrestrict authentication to a specific device by appending a
201e4a9863fSDag-Erling Smørgravcolon followed by the device identifier
202190cef3dSDag-Erling Smørgrav.Cm bsdauth
203e4a9863fSDag-Erling Smørgravor
204190cef3dSDag-Erling Smørgrav.Cm pam .
205e4a9863fSDag-Erling Smørgravdepending on the server configuration.
206e4a9863fSDag-Erling SmørgravFor example,
207ca86bcf2SDag-Erling Smørgrav.Qq keyboard-interactive:bsdauth
208e4a9863fSDag-Erling Smørgravwould restrict keyboard interactive authentication to the
209ca86bcf2SDag-Erling Smørgrav.Cm bsdauth
210e4a9863fSDag-Erling Smørgravdevice.
211e4a9863fSDag-Erling Smørgrav.Pp
212ca86bcf2SDag-Erling SmørgravIf the publickey method is listed more than once,
213bc5531deSDag-Erling Smørgrav.Xr sshd 8
214bc5531deSDag-Erling Smørgravverifies that keys that have been used successfully are not reused for
215bc5531deSDag-Erling Smørgravsubsequent authentications.
216ca86bcf2SDag-Erling SmørgravFor example,
217ca86bcf2SDag-Erling Smørgrav.Qq publickey,publickey
218ca86bcf2SDag-Erling Smørgravrequires successful authentication using two different public keys.
219bc5531deSDag-Erling Smørgrav.Pp
2206888a9beSDag-Erling SmørgravNote that each authentication method listed should also be explicitly enabled
2216888a9beSDag-Erling Smørgravin the configuration.
2224f52dfbbSDag-Erling Smørgrav.Pp
2234f52dfbbSDag-Erling SmørgravThe available authentication methods are:
2244f52dfbbSDag-Erling Smørgrav.Qq gssapi-with-mic ,
2254f52dfbbSDag-Erling Smørgrav.Qq hostbased ,
2264f52dfbbSDag-Erling Smørgrav.Qq keyboard-interactive ,
2274f52dfbbSDag-Erling Smørgrav.Qq none
2284f52dfbbSDag-Erling Smørgrav(used for access to password-less accounts when
229190cef3dSDag-Erling Smørgrav.Cm PermitEmptyPasswords
2304f52dfbbSDag-Erling Smørgravis enabled),
2314f52dfbbSDag-Erling Smørgrav.Qq password
2324f52dfbbSDag-Erling Smørgravand
2334f52dfbbSDag-Erling Smørgrav.Qq publickey .
2346888a9beSDag-Erling Smørgrav.It Cm AuthorizedKeysCommand
2356888a9beSDag-Erling SmørgravSpecifies a program to be used to look up the user's public keys.
236557f75e5SDag-Erling SmørgravThe program must be owned by root, not writable by group or others and
237557f75e5SDag-Erling Smørgravspecified by an absolute path.
238557f75e5SDag-Erling SmørgravArguments to
239557f75e5SDag-Erling Smørgrav.Cm AuthorizedKeysCommand
240ca86bcf2SDag-Erling Smørgravaccept the tokens described in the
241ca86bcf2SDag-Erling Smørgrav.Sx TOKENS
242ca86bcf2SDag-Erling Smørgravsection.
243ca86bcf2SDag-Erling SmørgravIf no arguments are specified then the username of the target user is used.
244557f75e5SDag-Erling Smørgrav.Pp
245557f75e5SDag-Erling SmørgravThe program should produce on standard output zero or
246ca86bcf2SDag-Erling Smørgravmore lines of authorized_keys output (see
247ca86bcf2SDag-Erling Smørgrav.Sx AUTHORIZED_KEYS
248ca86bcf2SDag-Erling Smørgravin
2496888a9beSDag-Erling Smørgrav.Xr sshd 8 ) .
250ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand
25119261079SEd Masteis tried after the usual
2526888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysFile
25319261079SEd Mastefiles and will not be executed if a matching key is found there.
254ca86bcf2SDag-Erling SmørgravBy default, no
255ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand
256ca86bcf2SDag-Erling Smørgravis run.
2576888a9beSDag-Erling Smørgrav.It Cm AuthorizedKeysCommandUser
258ca86bcf2SDag-Erling SmørgravSpecifies the user under whose account the
259ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand
260ca86bcf2SDag-Erling Smørgravis run.
2616888a9beSDag-Erling SmørgravIt is recommended to use a dedicated user that has no other role on the host
2626888a9beSDag-Erling Smørgravthan running authorized keys commands.
263bc5531deSDag-Erling SmørgravIf
264bc5531deSDag-Erling Smørgrav.Cm AuthorizedKeysCommand
265bc5531deSDag-Erling Smørgravis specified but
266bc5531deSDag-Erling Smørgrav.Cm AuthorizedKeysCommandUser
267bc5531deSDag-Erling Smørgravis not, then
268bc5531deSDag-Erling Smørgrav.Xr sshd 8
269bc5531deSDag-Erling Smørgravwill refuse to start.
270545d5ecaSDag-Erling Smørgrav.It Cm AuthorizedKeysFile
271ca86bcf2SDag-Erling SmørgravSpecifies the file that contains the public keys used for user authentication.
27219261079SEd MasteThe format is described in the AUTHORIZED_KEYS FILE FORMAT section of
273e2f6069cSDag-Erling Smørgrav.Xr sshd 8 .
274ca86bcf2SDag-Erling SmørgravArguments to
275545d5ecaSDag-Erling Smørgrav.Cm AuthorizedKeysFile
276ca86bcf2SDag-Erling Smørgravaccept the tokens described in the
277ca86bcf2SDag-Erling Smørgrav.Sx TOKENS
278ca86bcf2SDag-Erling Smørgravsection.
279545d5ecaSDag-Erling SmørgravAfter expansion,
280545d5ecaSDag-Erling Smørgrav.Cm AuthorizedKeysFile
281545d5ecaSDag-Erling Smørgravis taken to be an absolute path or one relative to the user's home
282545d5ecaSDag-Erling Smørgravdirectory.
283e146993eSDag-Erling SmørgravMultiple files may be listed, separated by whitespace.
284acc1a9efSDag-Erling SmørgravAlternately this option may be set to
285ca86bcf2SDag-Erling Smørgrav.Cm none
286acc1a9efSDag-Erling Smørgravto skip checking for user keys in files.
287545d5ecaSDag-Erling SmørgravThe default is
288ca86bcf2SDag-Erling Smørgrav.Qq .ssh/authorized_keys .ssh/authorized_keys2 .
289557f75e5SDag-Erling Smørgrav.It Cm AuthorizedPrincipalsCommand
290557f75e5SDag-Erling SmørgravSpecifies a program to be used to generate the list of allowed
291557f75e5SDag-Erling Smørgravcertificate principals as per
292557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile .
293557f75e5SDag-Erling SmørgravThe program must be owned by root, not writable by group or others and
294557f75e5SDag-Erling Smørgravspecified by an absolute path.
295557f75e5SDag-Erling SmørgravArguments to
296557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
297ca86bcf2SDag-Erling Smørgravaccept the tokens described in the
298ca86bcf2SDag-Erling Smørgrav.Sx TOKENS
299ca86bcf2SDag-Erling Smørgravsection.
300ca86bcf2SDag-Erling SmørgravIf no arguments are specified then the username of the target user is used.
301557f75e5SDag-Erling Smørgrav.Pp
302557f75e5SDag-Erling SmørgravThe program should produce on standard output zero or
303557f75e5SDag-Erling Smørgravmore lines of
304557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
305557f75e5SDag-Erling Smørgravoutput.
306557f75e5SDag-Erling SmørgravIf either
307557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
308557f75e5SDag-Erling Smørgravor
309557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
310557f75e5SDag-Erling Smørgravis specified, then certificates offered by the client for authentication
311557f75e5SDag-Erling Smørgravmust contain a principal that is listed.
312ca86bcf2SDag-Erling SmørgravBy default, no
313ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
314ca86bcf2SDag-Erling Smørgravis run.
315557f75e5SDag-Erling Smørgrav.It Cm AuthorizedPrincipalsCommandUser
316ca86bcf2SDag-Erling SmørgravSpecifies the user under whose account the
317ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
318ca86bcf2SDag-Erling Smørgravis run.
319557f75e5SDag-Erling SmørgravIt is recommended to use a dedicated user that has no other role on the host
320557f75e5SDag-Erling Smørgravthan running authorized principals commands.
321557f75e5SDag-Erling SmørgravIf
322557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
323557f75e5SDag-Erling Smørgravis specified but
324557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommandUser
325557f75e5SDag-Erling Smørgravis not, then
326557f75e5SDag-Erling Smørgrav.Xr sshd 8
327557f75e5SDag-Erling Smørgravwill refuse to start.
328e2f6069cSDag-Erling Smørgrav.It Cm AuthorizedPrincipalsFile
329e2f6069cSDag-Erling SmørgravSpecifies a file that lists principal names that are accepted for
330e2f6069cSDag-Erling Smørgravcertificate authentication.
331e2f6069cSDag-Erling SmørgravWhen using certificates signed by a key listed in
332e2f6069cSDag-Erling Smørgrav.Cm TrustedUserCAKeys ,
333e2f6069cSDag-Erling Smørgravthis file lists names, one of which must appear in the certificate for it
334e2f6069cSDag-Erling Smørgravto be accepted for authentication.
335ca86bcf2SDag-Erling SmørgravNames are listed one per line preceded by key options (as described in
336ca86bcf2SDag-Erling Smørgrav.Sx AUTHORIZED_KEYS FILE FORMAT
337ca86bcf2SDag-Erling Smørgravin
338e2f6069cSDag-Erling Smørgrav.Xr sshd 8 ) .
339e2f6069cSDag-Erling SmørgravEmpty lines and comments starting with
340e2f6069cSDag-Erling Smørgrav.Ql #
341e2f6069cSDag-Erling Smørgravare ignored.
342e2f6069cSDag-Erling Smørgrav.Pp
343ca86bcf2SDag-Erling SmørgravArguments to
344e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
345ca86bcf2SDag-Erling Smørgravaccept the tokens described in the
346ca86bcf2SDag-Erling Smørgrav.Sx TOKENS
347ca86bcf2SDag-Erling Smørgravsection.
348e2f6069cSDag-Erling SmørgravAfter expansion,
349e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
350ca86bcf2SDag-Erling Smørgravis taken to be an absolute path or one relative to the user's home directory.
351462c32cbSDag-Erling SmørgravThe default is
352ca86bcf2SDag-Erling Smørgrav.Cm none ,
353462c32cbSDag-Erling Smørgravi.e. not to use a principals file \(en in this case, the username
354e2f6069cSDag-Erling Smørgravof the user must appear in a certificate's principals list for it to be
355e2f6069cSDag-Erling Smørgravaccepted.
356ca86bcf2SDag-Erling Smørgrav.Pp
357e2f6069cSDag-Erling SmørgravNote that
358e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
359e2f6069cSDag-Erling Smørgravis only used when authentication proceeds using a CA listed in
360e2f6069cSDag-Erling Smørgrav.Cm TrustedUserCAKeys
361e2f6069cSDag-Erling Smørgravand is not consulted for certification authorities trusted via
362e2f6069cSDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys ,
363e2f6069cSDag-Erling Smørgravthough the
364e2f6069cSDag-Erling Smørgrav.Cm principals=
365e2f6069cSDag-Erling Smørgravkey option offers a similar facility (see
366e2f6069cSDag-Erling Smørgrav.Xr sshd 8
367e2f6069cSDag-Erling Smørgravfor details).
368545d5ecaSDag-Erling Smørgrav.It Cm Banner
369545d5ecaSDag-Erling SmørgravThe contents of the specified file are sent to the remote user before
370545d5ecaSDag-Erling Smørgravauthentication is allowed.
371d4af9e69SDag-Erling SmørgravIf the argument is
372ca86bcf2SDag-Erling Smørgrav.Cm none
373d4af9e69SDag-Erling Smørgravthen no banner is displayed.
374545d5ecaSDag-Erling SmørgravBy default, no banner is displayed.
3752f513db7SEd Maste.It Cm CASignatureAlgorithms
3762f513db7SEd MasteSpecifies which algorithms are allowed for signing of certificates
3772f513db7SEd Masteby certificate authorities (CAs).
3782f513db7SEd MasteThe default is:
3792f513db7SEd Maste.Bd -literal -offset indent
38019261079SEd Mastessh-ed25519,ecdsa-sha2-nistp256,
38119261079SEd Masteecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
38219261079SEd Mastesk-ssh-ed25519@openssh.com,
38319261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com,
38419261079SEd Mastersa-sha2-512,rsa-sha2-256
3852f513db7SEd Maste.Ed
3862f513db7SEd Maste.Pp
38719261079SEd MasteIf the specified list begins with a
38819261079SEd Maste.Sq +
38919261079SEd Mastecharacter, then the specified algorithms will be appended to the default set
39019261079SEd Masteinstead of replacing them.
39119261079SEd MasteIf the specified list begins with a
39219261079SEd Maste.Sq -
39319261079SEd Mastecharacter, then the specified algorithms (including wildcards) will be removed
39419261079SEd Mastefrom the default set instead of replacing them.
39519261079SEd Maste.Pp
3962f513db7SEd MasteCertificates signed using other algorithms will not be accepted for
3972f513db7SEd Mastepublic key or host-based authentication.
398*f374ba41SEd Maste.It Cm ChannelTimeout
399*f374ba41SEd MasteSpecifies whether and how quickly
400*f374ba41SEd Maste.Xr sshd 8
401*f374ba41SEd Masteshould close inactive channels.
402*f374ba41SEd MasteTimeouts are specified as one or more
403*f374ba41SEd Maste.Dq type=interval
404*f374ba41SEd Mastepairs separated by whitespace, where the
405*f374ba41SEd Maste.Dq type
406*f374ba41SEd Mastemust be a channel type name (as described in the table below), optionally
407*f374ba41SEd Mastecontaining wildcard characters.
408*f374ba41SEd Maste.Pp
409*f374ba41SEd MasteThe timeout value
410*f374ba41SEd Maste.Dq interval
411*f374ba41SEd Masteis specified in seconds or may use any of the units documented in the
412*f374ba41SEd Maste.Sx TIME FORMATS
413*f374ba41SEd Mastesection.
414*f374ba41SEd MasteFor example,
415*f374ba41SEd Maste.Dq session:*=5m
416*f374ba41SEd Mastewould cause all sessions to terminate after five minutes of inactivity.
417*f374ba41SEd MasteSpecifying a zero value disables the inactivity timeout.
418*f374ba41SEd Maste.Pp
419*f374ba41SEd MasteThe available channel types include:
420*f374ba41SEd Maste.Bl -tag -width Ds
421*f374ba41SEd Maste.It Cm agent-connection
422*f374ba41SEd MasteOpen connections to
423*f374ba41SEd Maste.Xr ssh-agent 1 .
424*f374ba41SEd Maste.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com
425*f374ba41SEd MasteOpen TCP or Unix socket (respectively) connections that have
426*f374ba41SEd Mastebeen established from a
427*f374ba41SEd Maste.Xr ssh 1
428*f374ba41SEd Mastelocal forwarding, i.e.\&
429*f374ba41SEd Maste.Cm LocalForward
430*f374ba41SEd Masteor
431*f374ba41SEd Maste.Cm DynamicForward .
432*f374ba41SEd Maste.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com
433*f374ba41SEd MasteOpen TCP or Unix socket (respectively) connections that have been
434*f374ba41SEd Masteestablished to a
435*f374ba41SEd Maste.Xr sshd 8
436*f374ba41SEd Mastelistening on behalf of a
437*f374ba41SEd Maste.Xr ssh 1
438*f374ba41SEd Masteremote forwarding, i.e.\&
439*f374ba41SEd Maste.Cm RemoteForward .
440*f374ba41SEd Maste.It Cm session:command
441*f374ba41SEd MasteCommand execution sessions.
442*f374ba41SEd Maste.It Cm session:shell
443*f374ba41SEd MasteInteractive shell sessions.
444*f374ba41SEd Maste.It Cm session:subsystem:...
445*f374ba41SEd MasteSubsystem sessions, e.g. for
446*f374ba41SEd Maste.Xr sftp 1 ,
447*f374ba41SEd Mastewhich could be identified as
448*f374ba41SEd Maste.Cm session:subsystem:sftp .
449*f374ba41SEd Maste.It Cm x11-connection
450*f374ba41SEd MasteOpen X11 forwarding sessions.
451*f374ba41SEd Maste.El
452*f374ba41SEd Maste.Pp
453*f374ba41SEd MasteNote that in all the above cases, terminating an inactive session does not
454*f374ba41SEd Masteguarantee to remove all resources associated with the session, e.g. shell
455*f374ba41SEd Masteprocesses or X11 clients relating to the session may continue to execute.
456*f374ba41SEd Maste.Pp
457*f374ba41SEd MasteMoreover, terminating an inactive channel or session does not necessarily
458*f374ba41SEd Masteclose the SSH connection, nor does it prevent a client from
459*f374ba41SEd Masterequesting another channel of the same type.
460*f374ba41SEd MasteIn particular, expiring an inactive forwarding session does not prevent
461*f374ba41SEd Masteanother identical forwarding from being subsequently created.
462*f374ba41SEd MasteSee also
463*f374ba41SEd Maste.Cm UnusedConnectionTimeout ,
464*f374ba41SEd Mastewhich may be used in conjunction with this option.
465*f374ba41SEd Maste.Pp
466*f374ba41SEd MasteThe default is not to expire channels of any type for inactivity.
467d4af9e69SDag-Erling Smørgrav.It Cm ChrootDirectory
468b15c8340SDag-Erling SmørgravSpecifies the pathname of a directory to
469d4af9e69SDag-Erling Smørgrav.Xr chroot 2
470d4af9e69SDag-Erling Smørgravto after authentication.
471bc5531deSDag-Erling SmørgravAt session startup
472bc5531deSDag-Erling Smørgrav.Xr sshd 8
473bc5531deSDag-Erling Smørgravchecks that all components of the pathname are root-owned directories
474bc5531deSDag-Erling Smørgravwhich are not writable by any other user or group.
4757aee6ffeSDag-Erling SmørgravAfter the chroot,
4767aee6ffeSDag-Erling Smørgrav.Xr sshd 8
4777aee6ffeSDag-Erling Smørgravchanges the working directory to the user's home directory.
478ca86bcf2SDag-Erling SmørgravArguments to
479ca86bcf2SDag-Erling Smørgrav.Cm ChrootDirectory
480ca86bcf2SDag-Erling Smørgravaccept the tokens described in the
481ca86bcf2SDag-Erling Smørgrav.Sx TOKENS
482ca86bcf2SDag-Erling Smørgravsection.
483d4af9e69SDag-Erling Smørgrav.Pp
484d4af9e69SDag-Erling SmørgravThe
485d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory
486d4af9e69SDag-Erling Smørgravmust contain the necessary files and directories to support the
4877aee6ffeSDag-Erling Smørgravuser's session.
488d4af9e69SDag-Erling SmørgravFor an interactive session this requires at least a shell, typically
489d4af9e69SDag-Erling Smørgrav.Xr sh 1 ,
490d4af9e69SDag-Erling Smørgravand basic
491d4af9e69SDag-Erling Smørgrav.Pa /dev
492d4af9e69SDag-Erling Smørgravnodes such as
493d4af9e69SDag-Erling Smørgrav.Xr null 4 ,
494d4af9e69SDag-Erling Smørgrav.Xr zero 4 ,
495d4af9e69SDag-Erling Smørgrav.Xr stdin 4 ,
496d4af9e69SDag-Erling Smørgrav.Xr stdout 4 ,
497d4af9e69SDag-Erling Smørgrav.Xr stderr 4 ,
498d4af9e69SDag-Erling Smørgravand
499d4af9e69SDag-Erling Smørgrav.Xr tty 4
500d4af9e69SDag-Erling Smørgravdevices.
501ca86bcf2SDag-Erling SmørgravFor file transfer sessions using SFTP
502ca86bcf2SDag-Erling Smørgravno additional configuration of the environment is necessary if the in-process
503ca86bcf2SDag-Erling Smørgravsftp-server is used,
504a0ee8cc6SDag-Erling Smørgravthough sessions which use logging may require
5057aee6ffeSDag-Erling Smørgrav.Pa /dev/log
506a0ee8cc6SDag-Erling Smørgravinside the chroot directory on some operating systems (see
5077aee6ffeSDag-Erling Smørgrav.Xr sftp-server 8
508d4af9e69SDag-Erling Smørgravfor details).
509d4af9e69SDag-Erling Smørgrav.Pp
510bc5531deSDag-Erling SmørgravFor safety, it is very important that the directory hierarchy be
511bc5531deSDag-Erling Smørgravprevented from modification by other processes on the system (especially
512bc5531deSDag-Erling Smørgravthose outside the jail).
513bc5531deSDag-Erling SmørgravMisconfiguration can lead to unsafe environments which
514bc5531deSDag-Erling Smørgrav.Xr sshd 8
515bc5531deSDag-Erling Smørgravcannot detect.
516bc5531deSDag-Erling Smørgrav.Pp
517acc1a9efSDag-Erling SmørgravThe default is
518ca86bcf2SDag-Erling Smørgrav.Cm none ,
519acc1a9efSDag-Erling Smørgravindicating not to
520d4af9e69SDag-Erling Smørgrav.Xr chroot 2 .
521545d5ecaSDag-Erling Smørgrav.It Cm Ciphers
522acc1a9efSDag-Erling SmørgravSpecifies the ciphers allowed.
523545d5ecaSDag-Erling SmørgravMultiple ciphers must be comma-separated.
52419261079SEd MasteIf the specified list begins with a
525eccfee6eSDag-Erling Smørgrav.Sq +
526eccfee6eSDag-Erling Smørgravcharacter, then the specified ciphers will be appended to the default set
527eccfee6eSDag-Erling Smørgravinstead of replacing them.
52819261079SEd MasteIf the specified list begins with a
529d93a896eSDag-Erling Smørgrav.Sq -
530d93a896eSDag-Erling Smørgravcharacter, then the specified ciphers (including wildcards) will be removed
531d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them.
53219261079SEd MasteIf the specified list begins with a
53319261079SEd Maste.Sq ^
53419261079SEd Mastecharacter, then the specified ciphers will be placed at the head of the
53519261079SEd Mastedefault set.
536eccfee6eSDag-Erling Smørgrav.Pp
537f7167e0eSDag-Erling SmørgravThe supported ciphers are:
538f7167e0eSDag-Erling Smørgrav.Pp
539a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent
540a0ee8cc6SDag-Erling Smørgrav.It
541a0ee8cc6SDag-Erling Smørgrav3des-cbc
542a0ee8cc6SDag-Erling Smørgrav.It
543a0ee8cc6SDag-Erling Smørgravaes128-cbc
544a0ee8cc6SDag-Erling Smørgrav.It
545a0ee8cc6SDag-Erling Smørgravaes192-cbc
546a0ee8cc6SDag-Erling Smørgrav.It
547a0ee8cc6SDag-Erling Smørgravaes256-cbc
548a0ee8cc6SDag-Erling Smørgrav.It
549a0ee8cc6SDag-Erling Smørgravaes128-ctr
550a0ee8cc6SDag-Erling Smørgrav.It
551a0ee8cc6SDag-Erling Smørgravaes192-ctr
552a0ee8cc6SDag-Erling Smørgrav.It
553a0ee8cc6SDag-Erling Smørgravaes256-ctr
554a0ee8cc6SDag-Erling Smørgrav.It
555a0ee8cc6SDag-Erling Smørgravaes128-gcm@openssh.com
556a0ee8cc6SDag-Erling Smørgrav.It
557a0ee8cc6SDag-Erling Smørgravaes256-gcm@openssh.com
558a0ee8cc6SDag-Erling Smørgrav.It
559a0ee8cc6SDag-Erling Smørgravchacha20-poly1305@openssh.com
560a0ee8cc6SDag-Erling Smørgrav.El
561f7167e0eSDag-Erling Smørgrav.Pp
562333ee039SDag-Erling SmørgravThe default is:
563a0ee8cc6SDag-Erling Smørgrav.Bd -literal -offset indent
564fc1ba28aSDag-Erling Smørgravchacha20-poly1305@openssh.com,
565a0ee8cc6SDag-Erling Smørgravaes128-ctr,aes192-ctr,aes256-ctr,
566952d18a2SEd Masteaes128-gcm@openssh.com,aes256-gcm@openssh.com
567545d5ecaSDag-Erling Smørgrav.Ed
568f7167e0eSDag-Erling Smørgrav.Pp
569ca86bcf2SDag-Erling SmørgravThe list of available ciphers may also be obtained using
570ca86bcf2SDag-Erling Smørgrav.Qq ssh -Q cipher .
571545d5ecaSDag-Erling Smørgrav.It Cm ClientAliveCountMax
572ca86bcf2SDag-Erling SmørgravSets the number of client alive messages which may be sent without
573333ee039SDag-Erling Smørgrav.Xr sshd 8
574cf2b5f3bSDag-Erling Smørgravreceiving any messages back from the client.
575cf2b5f3bSDag-Erling SmørgravIf this threshold is reached while client alive messages are being sent,
576333ee039SDag-Erling Smørgravsshd will disconnect the client, terminating the session.
577cf2b5f3bSDag-Erling SmørgravIt is important to note that the use of client alive messages is very
578cf2b5f3bSDag-Erling Smørgravdifferent from
579ca86bcf2SDag-Erling Smørgrav.Cm TCPKeepAlive .
580cf2b5f3bSDag-Erling SmørgravThe client alive messages are sent through the encrypted channel
581cf2b5f3bSDag-Erling Smørgravand therefore will not be spoofable.
582cf2b5f3bSDag-Erling SmørgravThe TCP keepalive option enabled by
5831ec0d754SDag-Erling Smørgrav.Cm TCPKeepAlive
584cf2b5f3bSDag-Erling Smørgravis spoofable.
585cf2b5f3bSDag-Erling SmørgravThe client alive mechanism is valuable when the client or
58619261079SEd Masteserver depend on knowing when a connection has become unresponsive.
587545d5ecaSDag-Erling Smørgrav.Pp
588cf2b5f3bSDag-Erling SmørgravThe default value is 3.
589cf2b5f3bSDag-Erling SmørgravIf
590545d5ecaSDag-Erling Smørgrav.Cm ClientAliveInterval
591ca86bcf2SDag-Erling Smørgravis set to 15, and
592545d5ecaSDag-Erling Smørgrav.Cm ClientAliveCountMax
593333ee039SDag-Erling Smørgravis left at the default, unresponsive SSH clients
594545d5ecaSDag-Erling Smørgravwill be disconnected after approximately 45 seconds.
59519261079SEd MasteSetting a zero
59619261079SEd Maste.Cm ClientAliveCountMax
59719261079SEd Mastedisables connection termination.
598d4ecd108SDag-Erling Smørgrav.It Cm ClientAliveInterval
599d4ecd108SDag-Erling SmørgravSets a timeout interval in seconds after which if no data has been received
600d4ecd108SDag-Erling Smørgravfrom the client,
601333ee039SDag-Erling Smørgrav.Xr sshd 8
602d4ecd108SDag-Erling Smørgravwill send a message through the encrypted
603d4ecd108SDag-Erling Smørgravchannel to request a response from the client.
604d4ecd108SDag-Erling SmørgravThe default
605d4ecd108SDag-Erling Smørgravis 0, indicating that these messages will not be sent to the client.
606545d5ecaSDag-Erling Smørgrav.It Cm Compression
607ca86bcf2SDag-Erling SmørgravSpecifies whether compression is enabled after
608d4ecd108SDag-Erling Smørgravthe user has authenticated successfully.
609545d5ecaSDag-Erling SmørgravThe argument must be
610ca86bcf2SDag-Erling Smørgrav.Cm yes ,
611ca86bcf2SDag-Erling Smørgrav.Cm delayed
612ca86bcf2SDag-Erling Smørgrav(a legacy synonym for
613ca86bcf2SDag-Erling Smørgrav.Cm yes )
614545d5ecaSDag-Erling Smørgravor
615ca86bcf2SDag-Erling Smørgrav.Cm no .
616545d5ecaSDag-Erling SmørgravThe default is
617ca86bcf2SDag-Erling Smørgrav.Cm yes .
618545d5ecaSDag-Erling Smørgrav.It Cm DenyGroups
619545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of group name patterns, separated
620545d5ecaSDag-Erling Smørgravby spaces.
621545d5ecaSDag-Erling SmørgravLogin is disallowed for users whose primary group or supplementary
622545d5ecaSDag-Erling Smørgravgroup list matches one of the patterns.
623545d5ecaSDag-Erling SmørgravOnly group names are valid; a numerical group ID is not recognized.
624545d5ecaSDag-Erling SmørgravBy default, login is allowed for all groups.
62519261079SEd MasteThe allow/deny groups directives are processed in the following order:
626333ee039SDag-Erling Smørgrav.Cm DenyGroups ,
627333ee039SDag-Erling Smørgrav.Cm AllowGroups .
628333ee039SDag-Erling Smørgrav.Pp
629e4a9863fSDag-Erling SmørgravSee PATTERNS in
630333ee039SDag-Erling Smørgrav.Xr ssh_config 5
631333ee039SDag-Erling Smørgravfor more information on patterns.
632545d5ecaSDag-Erling Smørgrav.It Cm DenyUsers
633545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of user name patterns, separated
634545d5ecaSDag-Erling Smørgravby spaces.
635545d5ecaSDag-Erling SmørgravLogin is disallowed for user names that match one of the patterns.
636545d5ecaSDag-Erling SmørgravOnly user names are valid; a numerical user ID is not recognized.
637545d5ecaSDag-Erling SmørgravBy default, login is allowed for all users.
638545d5ecaSDag-Erling SmørgravIf the pattern takes the form USER@HOST then USER and HOST
639545d5ecaSDag-Erling Smørgravare separately checked, restricting logins to particular
640545d5ecaSDag-Erling Smørgravusers from particular hosts.
641076ad2f8SDag-Erling SmørgravHOST criteria may additionally contain addresses to match in CIDR
642076ad2f8SDag-Erling Smørgravaddress/masklen format.
64319261079SEd MasteThe allow/deny users directives are processed in the following order:
644333ee039SDag-Erling Smørgrav.Cm DenyUsers ,
64519261079SEd Maste.Cm AllowUsers .
646333ee039SDag-Erling Smørgrav.Pp
647e4a9863fSDag-Erling SmørgravSee PATTERNS in
648333ee039SDag-Erling Smørgrav.Xr ssh_config 5
649333ee039SDag-Erling Smørgravfor more information on patterns.
650ca86bcf2SDag-Erling Smørgrav.It Cm DisableForwarding
651ca86bcf2SDag-Erling SmørgravDisables all forwarding features, including X11,
652ca86bcf2SDag-Erling Smørgrav.Xr ssh-agent 1 ,
653ca86bcf2SDag-Erling SmørgravTCP and StreamLocal.
654ca86bcf2SDag-Erling SmørgravThis option overrides all other forwarding-related options and may
655ca86bcf2SDag-Erling Smørgravsimplify restricted configurations.
6564f52dfbbSDag-Erling Smørgrav.It Cm ExposeAuthInfo
6574f52dfbbSDag-Erling SmørgravWrites a temporary file containing a list of authentication methods and
6584f52dfbbSDag-Erling Smørgravpublic credentials (e.g. keys) used to authenticate the user.
6594f52dfbbSDag-Erling SmørgravThe location of the file is exposed to the user session through the
6604f52dfbbSDag-Erling Smørgrav.Ev SSH_USER_AUTH
6614f52dfbbSDag-Erling Smørgravenvironment variable.
6624f52dfbbSDag-Erling SmørgravThe default is
6634f52dfbbSDag-Erling Smørgrav.Cm no .
664bc5531deSDag-Erling Smørgrav.It Cm FingerprintHash
665bc5531deSDag-Erling SmørgravSpecifies the hash algorithm used when logging key fingerprints.
666bc5531deSDag-Erling SmørgravValid options are:
667ca86bcf2SDag-Erling Smørgrav.Cm md5
668bc5531deSDag-Erling Smørgravand
669ca86bcf2SDag-Erling Smørgrav.Cm sha256 .
670bc5531deSDag-Erling SmørgravThe default is
671ca86bcf2SDag-Erling Smørgrav.Cm sha256 .
672333ee039SDag-Erling Smørgrav.It Cm ForceCommand
673333ee039SDag-Erling SmørgravForces the execution of the command specified by
674333ee039SDag-Erling Smørgrav.Cm ForceCommand ,
675d4af9e69SDag-Erling Smørgravignoring any command supplied by the client and
676d4af9e69SDag-Erling Smørgrav.Pa ~/.ssh/rc
677d4af9e69SDag-Erling Smørgravif present.
678333ee039SDag-Erling SmørgravThe command is invoked by using the user's login shell with the -c option.
679333ee039SDag-Erling SmørgravThis applies to shell, command, or subsystem execution.
680333ee039SDag-Erling SmørgravIt is most useful inside a
681333ee039SDag-Erling Smørgrav.Cm Match
682333ee039SDag-Erling Smørgravblock.
683333ee039SDag-Erling SmørgravThe command originally supplied by the client is available in the
684333ee039SDag-Erling Smørgrav.Ev SSH_ORIGINAL_COMMAND
685333ee039SDag-Erling Smørgravenvironment variable.
686d4af9e69SDag-Erling SmørgravSpecifying a command of
687ca86bcf2SDag-Erling Smørgrav.Cm internal-sftp
688ca86bcf2SDag-Erling Smørgravwill force the use of an in-process SFTP server that requires no support
689d4af9e69SDag-Erling Smørgravfiles when used with
690d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory .
691acc1a9efSDag-Erling SmørgravThe default is
692ca86bcf2SDag-Erling Smørgrav.Cm none .
693545d5ecaSDag-Erling Smørgrav.It Cm GatewayPorts
694545d5ecaSDag-Erling SmørgravSpecifies whether remote hosts are allowed to connect to ports
695545d5ecaSDag-Erling Smørgravforwarded for the client.
696545d5ecaSDag-Erling SmørgravBy default,
697333ee039SDag-Erling Smørgrav.Xr sshd 8
698e73e9afaSDag-Erling Smørgravbinds remote port forwardings to the loopback address.
699e73e9afaSDag-Erling SmørgravThis prevents other remote hosts from connecting to forwarded ports.
700545d5ecaSDag-Erling Smørgrav.Cm GatewayPorts
701333ee039SDag-Erling Smørgravcan be used to specify that sshd
702aa49c926SDag-Erling Smørgravshould allow remote port forwardings to bind to non-loopback addresses, thus
703aa49c926SDag-Erling Smørgravallowing other hosts to connect.
704aa49c926SDag-Erling SmørgravThe argument may be
705ca86bcf2SDag-Erling Smørgrav.Cm no
706aa49c926SDag-Erling Smørgravto force remote port forwardings to be available to the local host only,
707ca86bcf2SDag-Erling Smørgrav.Cm yes
708aa49c926SDag-Erling Smørgravto force remote port forwardings to bind to the wildcard address, or
709ca86bcf2SDag-Erling Smørgrav.Cm clientspecified
710aa49c926SDag-Erling Smørgravto allow the client to select the address to which the forwarding is bound.
711545d5ecaSDag-Erling SmørgravThe default is
712ca86bcf2SDag-Erling Smørgrav.Cm no .
713cf2b5f3bSDag-Erling Smørgrav.It Cm GSSAPIAuthentication
714cf2b5f3bSDag-Erling SmørgravSpecifies whether user authentication based on GSSAPI is allowed.
715cf2b5f3bSDag-Erling SmørgravThe default is
716ca86bcf2SDag-Erling Smørgrav.Cm no .
717cf2b5f3bSDag-Erling Smørgrav.It Cm GSSAPICleanupCredentials
718cf2b5f3bSDag-Erling SmørgravSpecifies whether to automatically destroy the user's credentials cache
719cf2b5f3bSDag-Erling Smørgravon logout.
720cf2b5f3bSDag-Erling SmørgravThe default is
721ca86bcf2SDag-Erling Smørgrav.Cm yes .
722557f75e5SDag-Erling Smørgrav.It Cm GSSAPIStrictAcceptorCheck
723557f75e5SDag-Erling SmørgravDetermines whether to be strict about the identity of the GSSAPI acceptor
724557f75e5SDag-Erling Smørgrava client authenticates against.
725557f75e5SDag-Erling SmørgravIf set to
726ca86bcf2SDag-Erling Smørgrav.Cm yes
727ca86bcf2SDag-Erling Smørgravthen the client must authenticate against the host
728557f75e5SDag-Erling Smørgravservice on the current hostname.
729557f75e5SDag-Erling SmørgravIf set to
730ca86bcf2SDag-Erling Smørgrav.Cm no
731557f75e5SDag-Erling Smørgravthen the client may authenticate against any service key stored in the
732557f75e5SDag-Erling Smørgravmachine's default store.
733557f75e5SDag-Erling SmørgravThis facility is provided to assist with operation on multi homed machines.
734557f75e5SDag-Erling SmørgravThe default is
735ca86bcf2SDag-Erling Smørgrav.Cm yes .
73619261079SEd Maste.It Cm HostbasedAcceptedAlgorithms
73719261079SEd MasteSpecifies the signature algorithms that will be accepted for hostbased
73819261079SEd Masteauthentication as a list of comma-separated patterns.
73919261079SEd MasteAlternately if the specified list begins with a
740eccfee6eSDag-Erling Smørgrav.Sq +
74119261079SEd Mastecharacter, then the specified signature algorithms will be appended to
74219261079SEd Mastethe default set instead of replacing them.
74319261079SEd MasteIf the specified list begins with a
744d93a896eSDag-Erling Smørgrav.Sq -
74519261079SEd Mastecharacter, then the specified signature algorithms (including wildcards)
74619261079SEd Mastewill be removed from the default set instead of replacing them.
74719261079SEd MasteIf the specified list begins with a
74819261079SEd Maste.Sq ^
74919261079SEd Mastecharacter, then the specified signature algorithms will be placed at
75019261079SEd Mastethe head of the default set.
751eccfee6eSDag-Erling SmørgravThe default for this option is:
752eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n
75319261079SEd Mastessh-ed25519-cert-v01@openssh.com,
754eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com,
755eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com,
756eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com,
75719261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com,
75819261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
75919261079SEd Mastersa-sha2-512-cert-v01@openssh.com,
76019261079SEd Mastersa-sha2-256-cert-v01@openssh.com,
76119261079SEd Mastessh-ed25519,
7629ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
76319261079SEd Mastesk-ssh-ed25519@openssh.com,
76419261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com,
765cea0d368SEd Mastersa-sha2-512,rsa-sha2-256
766eccfee6eSDag-Erling Smørgrav.Ed
767eccfee6eSDag-Erling Smørgrav.Pp
76819261079SEd MasteThe list of available signature algorithms may also be obtained using
76919261079SEd Maste.Qq ssh -Q HostbasedAcceptedAlgorithms .
77019261079SEd MasteThis was formerly named HostbasedAcceptedKeyTypes.
771545d5ecaSDag-Erling Smørgrav.It Cm HostbasedAuthentication
772545d5ecaSDag-Erling SmørgravSpecifies whether rhosts or /etc/hosts.equiv authentication together
773545d5ecaSDag-Erling Smørgravwith successful public key client host authentication is allowed
774333ee039SDag-Erling Smørgrav(host-based authentication).
775545d5ecaSDag-Erling SmørgravThe default is
776ca86bcf2SDag-Erling Smørgrav.Cm no .
777333ee039SDag-Erling Smørgrav.It Cm HostbasedUsesNameFromPacketOnly
778333ee039SDag-Erling SmørgravSpecifies whether or not the server will attempt to perform a reverse
779333ee039SDag-Erling Smørgravname lookup when matching the name in the
780333ee039SDag-Erling Smørgrav.Pa ~/.shosts ,
781333ee039SDag-Erling Smørgrav.Pa ~/.rhosts ,
782333ee039SDag-Erling Smørgravand
783333ee039SDag-Erling Smørgrav.Pa /etc/hosts.equiv
784333ee039SDag-Erling Smørgravfiles during
785333ee039SDag-Erling Smørgrav.Cm HostbasedAuthentication .
786333ee039SDag-Erling SmørgravA setting of
787ca86bcf2SDag-Erling Smørgrav.Cm yes
788333ee039SDag-Erling Smørgravmeans that
789333ee039SDag-Erling Smørgrav.Xr sshd 8
790333ee039SDag-Erling Smørgravuses the name supplied by the client rather than
791333ee039SDag-Erling Smørgravattempting to resolve the name from the TCP connection itself.
792333ee039SDag-Erling SmørgravThe default is
793ca86bcf2SDag-Erling Smørgrav.Cm no .
794b15c8340SDag-Erling Smørgrav.It Cm HostCertificate
795b15c8340SDag-Erling SmørgravSpecifies a file containing a public host certificate.
796b15c8340SDag-Erling SmørgravThe certificate's public key must match a private host key already specified
797b15c8340SDag-Erling Smørgravby
798b15c8340SDag-Erling Smørgrav.Cm HostKey .
799b15c8340SDag-Erling SmørgravThe default behaviour of
800b15c8340SDag-Erling Smørgrav.Xr sshd 8
801b15c8340SDag-Erling Smørgravis not to load any certificates.
802545d5ecaSDag-Erling Smørgrav.It Cm HostKey
803545d5ecaSDag-Erling SmørgravSpecifies a file containing a private host key
804545d5ecaSDag-Erling Smørgravused by SSH.
805ca86bcf2SDag-Erling SmørgravThe defaults are
806f7167e0eSDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_ecdsa_key ,
807f7167e0eSDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_ed25519_key
808d4af9e69SDag-Erling Smørgravand
809ca86bcf2SDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_rsa_key .
810eccfee6eSDag-Erling Smørgrav.Pp
811545d5ecaSDag-Erling SmørgravNote that
812333ee039SDag-Erling Smørgrav.Xr sshd 8
813eccfee6eSDag-Erling Smørgravwill refuse to use a file if it is group/world-accessible
814eccfee6eSDag-Erling Smørgravand that the
815eccfee6eSDag-Erling Smørgrav.Cm HostKeyAlgorithms
816eccfee6eSDag-Erling Smørgravoption restricts which of the keys are actually used by
817eccfee6eSDag-Erling Smørgrav.Xr sshd 8 .
818eccfee6eSDag-Erling Smørgrav.Pp
819545d5ecaSDag-Erling SmørgravIt is possible to have multiple host key files.
820e4a9863fSDag-Erling SmørgravIt is also possible to specify public host key files instead.
821e4a9863fSDag-Erling SmørgravIn this case operations on the private key will be delegated
822e4a9863fSDag-Erling Smørgravto an
823e4a9863fSDag-Erling Smørgrav.Xr ssh-agent 1 .
824e4a9863fSDag-Erling Smørgrav.It Cm HostKeyAgent
825e4a9863fSDag-Erling SmørgravIdentifies the UNIX-domain socket used to communicate
826e4a9863fSDag-Erling Smørgravwith an agent that has access to the private host keys.
827076ad2f8SDag-Erling SmørgravIf the string
828ca86bcf2SDag-Erling Smørgrav.Qq SSH_AUTH_SOCK
829e4a9863fSDag-Erling Smørgravis specified, the location of the socket will be read from the
830e4a9863fSDag-Erling Smørgrav.Ev SSH_AUTH_SOCK
831e4a9863fSDag-Erling Smørgravenvironment variable.
832eccfee6eSDag-Erling Smørgrav.It Cm HostKeyAlgorithms
83319261079SEd MasteSpecifies the host key signature algorithms
834eccfee6eSDag-Erling Smørgravthat the server offers.
835eccfee6eSDag-Erling SmørgravThe default for this option is:
836eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n
83719261079SEd Mastessh-ed25519-cert-v01@openssh.com,
838eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com,
839eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com,
840eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com,
84119261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com,
84219261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
84319261079SEd Mastersa-sha2-512-cert-v01@openssh.com,
84419261079SEd Mastersa-sha2-256-cert-v01@openssh.com,
84519261079SEd Mastessh-ed25519,
8469ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
84719261079SEd Mastesk-ssh-ed25519@openssh.com,
84819261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com,
849cea0d368SEd Mastersa-sha2-512,rsa-sha2-256
850eccfee6eSDag-Erling Smørgrav.Ed
851eccfee6eSDag-Erling Smørgrav.Pp
85219261079SEd MasteThe list of available signature algorithms may also be obtained using
85319261079SEd Maste.Qq ssh -Q HostKeyAlgorithms .
854545d5ecaSDag-Erling Smørgrav.It Cm IgnoreRhosts
85519261079SEd MasteSpecifies whether to ignore per-user
856545d5ecaSDag-Erling Smørgrav.Pa .rhosts
857545d5ecaSDag-Erling Smørgravand
858545d5ecaSDag-Erling Smørgrav.Pa .shosts
85919261079SEd Mastefiles during
860545d5ecaSDag-Erling Smørgrav.Cm HostbasedAuthentication .
86119261079SEd MasteThe system-wide
862545d5ecaSDag-Erling Smørgrav.Pa /etc/hosts.equiv
863545d5ecaSDag-Erling Smørgravand
86435d4ccfbSDag-Erling Smørgrav.Pa /etc/ssh/shosts.equiv
86519261079SEd Masteare still used regardless of this setting.
86619261079SEd Maste.Pp
86719261079SEd MasteAccepted values are
86819261079SEd Maste.Cm yes
86919261079SEd Maste(the default) to ignore all per-user files,
87019261079SEd Maste.Cm shosts-only
87119261079SEd Masteto allow the use of
87219261079SEd Maste.Pa .shosts
87319261079SEd Mastebut to ignore
87419261079SEd Maste.Pa .rhosts
87519261079SEd Masteor
87619261079SEd Maste.Cm no
87719261079SEd Masteto allow both
87819261079SEd Maste.Pa .shosts
87919261079SEd Masteand
88019261079SEd Maste.Pa rhosts .
881545d5ecaSDag-Erling Smørgrav.It Cm IgnoreUserKnownHosts
882545d5ecaSDag-Erling SmørgravSpecifies whether
883333ee039SDag-Erling Smørgrav.Xr sshd 8
884545d5ecaSDag-Erling Smørgravshould ignore the user's
885d4ecd108SDag-Erling Smørgrav.Pa ~/.ssh/known_hosts
886545d5ecaSDag-Erling Smørgravduring
88747dd1d1bSDag-Erling Smørgrav.Cm HostbasedAuthentication
88847dd1d1bSDag-Erling Smørgravand use only the system-wide known hosts file
88938a52bd3SEd Maste.Pa /etc/ssh/ssh_known_hosts .
890545d5ecaSDag-Erling SmørgravThe default is
89119261079SEd Maste.Dq no .
89219261079SEd Maste.It Cm Include
89319261079SEd MasteInclude the specified configuration file(s).
89419261079SEd MasteMultiple pathnames may be specified and each pathname may contain
89519261079SEd Maste.Xr glob 7
89619261079SEd Mastewildcards that will be expanded and processed in lexical order.
89719261079SEd MasteFiles without absolute paths are assumed to be in
89819261079SEd Maste.Pa /etc/ssh .
89919261079SEd MasteAn
90019261079SEd Maste.Cm Include
90119261079SEd Mastedirective may appear inside a
90219261079SEd Maste.Cm Match
90319261079SEd Masteblock
90419261079SEd Masteto perform conditional inclusion.
9054a421b63SDag-Erling Smørgrav.It Cm IPQoS
9064a421b63SDag-Erling SmørgravSpecifies the IPv4 type-of-service or DSCP class for the connection.
9074a421b63SDag-Erling SmørgravAccepted values are
908ca86bcf2SDag-Erling Smørgrav.Cm af11 ,
909ca86bcf2SDag-Erling Smørgrav.Cm af12 ,
910ca86bcf2SDag-Erling Smørgrav.Cm af13 ,
911ca86bcf2SDag-Erling Smørgrav.Cm af21 ,
912ca86bcf2SDag-Erling Smørgrav.Cm af22 ,
913ca86bcf2SDag-Erling Smørgrav.Cm af23 ,
914ca86bcf2SDag-Erling Smørgrav.Cm af31 ,
915ca86bcf2SDag-Erling Smørgrav.Cm af32 ,
916ca86bcf2SDag-Erling Smørgrav.Cm af33 ,
917ca86bcf2SDag-Erling Smørgrav.Cm af41 ,
918ca86bcf2SDag-Erling Smørgrav.Cm af42 ,
919ca86bcf2SDag-Erling Smørgrav.Cm af43 ,
920ca86bcf2SDag-Erling Smørgrav.Cm cs0 ,
921ca86bcf2SDag-Erling Smørgrav.Cm cs1 ,
922ca86bcf2SDag-Erling Smørgrav.Cm cs2 ,
923ca86bcf2SDag-Erling Smørgrav.Cm cs3 ,
924ca86bcf2SDag-Erling Smørgrav.Cm cs4 ,
925ca86bcf2SDag-Erling Smørgrav.Cm cs5 ,
926ca86bcf2SDag-Erling Smørgrav.Cm cs6 ,
927ca86bcf2SDag-Erling Smørgrav.Cm cs7 ,
928ca86bcf2SDag-Erling Smørgrav.Cm ef ,
92919261079SEd Maste.Cm le ,
930ca86bcf2SDag-Erling Smørgrav.Cm lowdelay ,
931ca86bcf2SDag-Erling Smørgrav.Cm throughput ,
932ca86bcf2SDag-Erling Smørgrav.Cm reliability ,
9334f52dfbbSDag-Erling Smørgrava numeric value, or
9344f52dfbbSDag-Erling Smørgrav.Cm none
9354f52dfbbSDag-Erling Smørgravto use the operating system default.
9364a421b63SDag-Erling SmørgravThis option may take one or two arguments, separated by whitespace.
9374a421b63SDag-Erling SmørgravIf one argument is specified, it is used as the packet class unconditionally.
9384a421b63SDag-Erling SmørgravIf two values are specified, the first is automatically selected for
9394a421b63SDag-Erling Smørgravinteractive sessions and the second for non-interactive sessions.
9404a421b63SDag-Erling SmørgravThe default is
941190cef3dSDag-Erling Smørgrav.Cm af21
942190cef3dSDag-Erling Smørgrav(Low-Latency Data)
9434a421b63SDag-Erling Smørgravfor interactive sessions and
944190cef3dSDag-Erling Smørgrav.Cm cs1
945190cef3dSDag-Erling Smørgrav(Lower Effort)
9464a421b63SDag-Erling Smørgravfor non-interactive sessions.
947b83788ffSDag-Erling Smørgrav.It Cm KbdInteractiveAuthentication
948b83788ffSDag-Erling SmørgravSpecifies whether to allow keyboard-interactive authentication.
94919261079SEd MasteAll authentication styles from
95019261079SEd Maste.Xr login.conf 5
95119261079SEd Masteare supported.
95219261079SEd MasteThe default is
95319261079SEd Maste.Cm yes .
954b83788ffSDag-Erling SmørgravThe argument to this keyword must be
955ca86bcf2SDag-Erling Smørgrav.Cm yes
956b83788ffSDag-Erling Smørgravor
957ca86bcf2SDag-Erling Smørgrav.Cm no .
958b83788ffSDag-Erling Smørgrav.Cm ChallengeResponseAuthentication
95919261079SEd Masteis a deprecated alias for this.
960545d5ecaSDag-Erling Smørgrav.It Cm KerberosAuthentication
961cf2b5f3bSDag-Erling SmørgravSpecifies whether the password provided by the user for
962545d5ecaSDag-Erling Smørgrav.Cm PasswordAuthentication
963cf2b5f3bSDag-Erling Smørgravwill be validated through the Kerberos KDC.
964545d5ecaSDag-Erling SmørgravTo use this option, the server needs a
965545d5ecaSDag-Erling SmørgravKerberos servtab which allows the verification of the KDC's identity.
966333ee039SDag-Erling SmørgravThe default is
967ca86bcf2SDag-Erling Smørgrav.Cm no .
9685962c0e9SDag-Erling Smørgrav.It Cm KerberosGetAFSToken
969b74df5b2SDag-Erling SmørgravIf AFS is active and the user has a Kerberos 5 TGT, attempt to acquire
9705962c0e9SDag-Erling Smørgravan AFS token before accessing the user's home directory.
971333ee039SDag-Erling SmørgravThe default is
972ca86bcf2SDag-Erling Smørgrav.Cm no .
973545d5ecaSDag-Erling Smørgrav.It Cm KerberosOrLocalPasswd
974333ee039SDag-Erling SmørgravIf password authentication through Kerberos fails then
975545d5ecaSDag-Erling Smørgravthe password will be validated via any additional local mechanism
976545d5ecaSDag-Erling Smørgravsuch as
977545d5ecaSDag-Erling Smørgrav.Pa /etc/passwd .
978333ee039SDag-Erling SmørgravThe default is
979ca86bcf2SDag-Erling Smørgrav.Cm yes .
980545d5ecaSDag-Erling Smørgrav.It Cm KerberosTicketCleanup
981545d5ecaSDag-Erling SmørgravSpecifies whether to automatically destroy the user's ticket cache
982545d5ecaSDag-Erling Smørgravfile on logout.
983333ee039SDag-Erling SmørgravThe default is
984ca86bcf2SDag-Erling Smørgrav.Cm yes .
9854a421b63SDag-Erling Smørgrav.It Cm KexAlgorithms
9864a421b63SDag-Erling SmørgravSpecifies the available KEX (Key Exchange) algorithms.
9874a421b63SDag-Erling SmørgravMultiple algorithms must be comma-separated.
98819261079SEd MasteAlternately if the specified list begins with a
989eccfee6eSDag-Erling Smørgrav.Sq +
990e9e8876aSEd Mastecharacter, then the specified algorithms will be appended to the default set
991eccfee6eSDag-Erling Smørgravinstead of replacing them.
99219261079SEd MasteIf the specified list begins with a
993d93a896eSDag-Erling Smørgrav.Sq -
994e9e8876aSEd Mastecharacter, then the specified algorithms (including wildcards) will be removed
995d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them.
99619261079SEd MasteIf the specified list begins with a
99719261079SEd Maste.Sq ^
998e9e8876aSEd Mastecharacter, then the specified algorithms will be placed at the head of the
99919261079SEd Mastedefault set.
1000a0ee8cc6SDag-Erling SmørgravThe supported algorithms are:
1001a0ee8cc6SDag-Erling Smørgrav.Pp
1002a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent
1003a0ee8cc6SDag-Erling Smørgrav.It
1004ca86bcf2SDag-Erling Smørgravcurve25519-sha256
1005ca86bcf2SDag-Erling Smørgrav.It
1006a0ee8cc6SDag-Erling Smørgravcurve25519-sha256@libssh.org
1007a0ee8cc6SDag-Erling Smørgrav.It
1008a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group1-sha1
1009a0ee8cc6SDag-Erling Smørgrav.It
1010a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group14-sha1
1011a0ee8cc6SDag-Erling Smørgrav.It
101247dd1d1bSDag-Erling Smørgravdiffie-hellman-group14-sha256
101347dd1d1bSDag-Erling Smørgrav.It
101447dd1d1bSDag-Erling Smørgravdiffie-hellman-group16-sha512
101547dd1d1bSDag-Erling Smørgrav.It
101647dd1d1bSDag-Erling Smørgravdiffie-hellman-group18-sha512
101747dd1d1bSDag-Erling Smørgrav.It
1018a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group-exchange-sha1
1019a0ee8cc6SDag-Erling Smørgrav.It
1020a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group-exchange-sha256
1021a0ee8cc6SDag-Erling Smørgrav.It
1022a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp256
1023a0ee8cc6SDag-Erling Smørgrav.It
1024a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp384
1025a0ee8cc6SDag-Erling Smørgrav.It
1026a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp521
102719261079SEd Maste.It
102819261079SEd Mastesntrup761x25519-sha512@openssh.com
1029a0ee8cc6SDag-Erling Smørgrav.El
1030a0ee8cc6SDag-Erling Smørgrav.Pp
1031a0ee8cc6SDag-Erling SmørgravThe default is:
1032f7167e0eSDag-Erling Smørgrav.Bd -literal -offset indent
103387c1498dSEd Mastesntrup761x25519-sha512@openssh.com,
1034ca86bcf2SDag-Erling Smørgravcurve25519-sha256,curve25519-sha256@libssh.org,
1035f7167e0eSDag-Erling Smørgravecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
1036f7167e0eSDag-Erling Smørgravdiffie-hellman-group-exchange-sha256,
103747dd1d1bSDag-Erling Smørgravdiffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
103819261079SEd Mastediffie-hellman-group14-sha256
1039f7167e0eSDag-Erling Smørgrav.Ed
1040bc5531deSDag-Erling Smørgrav.Pp
1041ca86bcf2SDag-Erling SmørgravThe list of available key exchange algorithms may also be obtained using
104219261079SEd Maste.Qq ssh -Q KexAlgorithms .
1043545d5ecaSDag-Erling Smørgrav.It Cm ListenAddress
1044545d5ecaSDag-Erling SmørgravSpecifies the local addresses
1045333ee039SDag-Erling Smørgrav.Xr sshd 8
1046545d5ecaSDag-Erling Smørgravshould listen on.
1047545d5ecaSDag-Erling SmørgravThe following forms may be used:
1048545d5ecaSDag-Erling Smørgrav.Pp
1049545d5ecaSDag-Erling Smørgrav.Bl -item -offset indent -compact
1050545d5ecaSDag-Erling Smørgrav.It
1051545d5ecaSDag-Erling Smørgrav.Cm ListenAddress
1052545d5ecaSDag-Erling Smørgrav.Sm off
105347dd1d1bSDag-Erling Smørgrav.Ar hostname | address
1054545d5ecaSDag-Erling Smørgrav.Sm on
105547dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain
1056545d5ecaSDag-Erling Smørgrav.It
1057545d5ecaSDag-Erling Smørgrav.Cm ListenAddress
1058545d5ecaSDag-Erling Smørgrav.Sm off
105947dd1d1bSDag-Erling Smørgrav.Ar hostname : port
1060545d5ecaSDag-Erling Smørgrav.Sm on
106147dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain
1062545d5ecaSDag-Erling Smørgrav.It
1063545d5ecaSDag-Erling Smørgrav.Cm ListenAddress
1064545d5ecaSDag-Erling Smørgrav.Sm off
106547dd1d1bSDag-Erling Smørgrav.Ar IPv4_address : port
1066545d5ecaSDag-Erling Smørgrav.Sm on
106747dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain
106847dd1d1bSDag-Erling Smørgrav.It
106947dd1d1bSDag-Erling Smørgrav.Cm ListenAddress
107047dd1d1bSDag-Erling Smørgrav.Sm off
107147dd1d1bSDag-Erling Smørgrav.Oo Ar hostname | address Oc : Ar port
107247dd1d1bSDag-Erling Smørgrav.Sm on
107347dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain
1074545d5ecaSDag-Erling Smørgrav.El
1075545d5ecaSDag-Erling Smørgrav.Pp
107647dd1d1bSDag-Erling SmørgravThe optional
107747dd1d1bSDag-Erling Smørgrav.Cm rdomain
107847dd1d1bSDag-Erling Smørgravqualifier requests
107947dd1d1bSDag-Erling Smørgrav.Xr sshd 8
108047dd1d1bSDag-Erling Smørgravlisten in an explicit routing domain.
1081545d5ecaSDag-Erling SmørgravIf
1082545d5ecaSDag-Erling Smørgrav.Ar port
1083545d5ecaSDag-Erling Smørgravis not specified,
1084557f75e5SDag-Erling Smørgravsshd will listen on the address and all
1085545d5ecaSDag-Erling Smørgrav.Cm Port
1086cf2b5f3bSDag-Erling Smørgravoptions specified.
108747dd1d1bSDag-Erling SmørgravThe default is to listen on all local addresses on the current default
108847dd1d1bSDag-Erling Smørgravrouting domain.
1089e73e9afaSDag-Erling SmørgravMultiple
1090545d5ecaSDag-Erling Smørgrav.Cm ListenAddress
1091cf2b5f3bSDag-Erling Smørgravoptions are permitted.
109247dd1d1bSDag-Erling SmørgravFor more information on routing domains, see
109347dd1d1bSDag-Erling Smørgrav.Xr rdomain 4 .
1094545d5ecaSDag-Erling Smørgrav.It Cm LoginGraceTime
1095545d5ecaSDag-Erling SmørgravThe server disconnects after this time if the user has not
1096545d5ecaSDag-Erling Smørgravsuccessfully logged in.
1097545d5ecaSDag-Erling SmørgravIf the value is 0, there is no time limit.
1098f388f5efSDag-Erling SmørgravThe default is 120 seconds.
1099545d5ecaSDag-Erling Smørgrav.It Cm LogLevel
1100545d5ecaSDag-Erling SmørgravGives the verbosity level that is used when logging messages from
1101333ee039SDag-Erling Smørgrav.Xr sshd 8 .
1102545d5ecaSDag-Erling SmørgravThe possible values are:
1103333ee039SDag-Erling SmørgravQUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
1104e73e9afaSDag-Erling SmørgravThe default is INFO.
1105e73e9afaSDag-Erling SmørgravDEBUG and DEBUG1 are equivalent.
1106e73e9afaSDag-Erling SmørgravDEBUG2 and DEBUG3 each specify higher levels of debugging output.
1107e73e9afaSDag-Erling SmørgravLogging with a DEBUG level violates the privacy of users and is not recommended.
110819261079SEd Maste.It Cm LogVerbose
110919261079SEd MasteSpecify one or more overrides to LogLevel.
111019261079SEd MasteAn override consists of a pattern lists that matches the source file, function
111119261079SEd Masteand line number to force detailed logging for.
111219261079SEd MasteFor example, an override pattern of:
111319261079SEd Maste.Bd -literal -offset indent
111419261079SEd Mastekex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
111519261079SEd Maste.Ed
111619261079SEd Maste.Pp
111719261079SEd Mastewould enable detailed logging for line 1000 of
111819261079SEd Maste.Pa kex.c ,
111919261079SEd Masteeverything in the
112019261079SEd Maste.Fn kex_exchange_identification
112119261079SEd Mastefunction, and all code in the
112219261079SEd Maste.Pa packet.c
112319261079SEd Mastefile.
112419261079SEd MasteThis option is intended for debugging and no overrides are enabled by default.
1125545d5ecaSDag-Erling Smørgrav.It Cm MACs
1126545d5ecaSDag-Erling SmørgravSpecifies the available MAC (message authentication code) algorithms.
1127acc1a9efSDag-Erling SmørgravThe MAC algorithm is used for data integrity protection.
1128545d5ecaSDag-Erling SmørgravMultiple algorithms must be comma-separated.
112919261079SEd MasteIf the specified list begins with a
1130eccfee6eSDag-Erling Smørgrav.Sq +
1131eccfee6eSDag-Erling Smørgravcharacter, then the specified algorithms will be appended to the default set
1132eccfee6eSDag-Erling Smørgravinstead of replacing them.
113319261079SEd MasteIf the specified list begins with a
1134d93a896eSDag-Erling Smørgrav.Sq -
1135d93a896eSDag-Erling Smørgravcharacter, then the specified algorithms (including wildcards) will be removed
1136d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them.
113719261079SEd MasteIf the specified list begins with a
113819261079SEd Maste.Sq ^
113919261079SEd Mastecharacter, then the specified algorithms will be placed at the head of the
114019261079SEd Mastedefault set.
1141eccfee6eSDag-Erling Smørgrav.Pp
11426888a9beSDag-Erling SmørgravThe algorithms that contain
1143ca86bcf2SDag-Erling Smørgrav.Qq -etm
11446888a9beSDag-Erling Smørgravcalculate the MAC after encryption (encrypt-then-mac).
11456888a9beSDag-Erling SmørgravThese are considered safer and their use recommended.
1146a0ee8cc6SDag-Erling SmørgravThe supported MACs are:
1147a0ee8cc6SDag-Erling Smørgrav.Pp
1148a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent
1149a0ee8cc6SDag-Erling Smørgrav.It
1150a0ee8cc6SDag-Erling Smørgravhmac-md5
1151a0ee8cc6SDag-Erling Smørgrav.It
1152a0ee8cc6SDag-Erling Smørgravhmac-md5-96
1153a0ee8cc6SDag-Erling Smørgrav.It
1154a0ee8cc6SDag-Erling Smørgravhmac-sha1
1155a0ee8cc6SDag-Erling Smørgrav.It
1156a0ee8cc6SDag-Erling Smørgravhmac-sha1-96
1157a0ee8cc6SDag-Erling Smørgrav.It
1158a0ee8cc6SDag-Erling Smørgravhmac-sha2-256
1159a0ee8cc6SDag-Erling Smørgrav.It
1160a0ee8cc6SDag-Erling Smørgravhmac-sha2-512
1161a0ee8cc6SDag-Erling Smørgrav.It
1162a0ee8cc6SDag-Erling Smørgravumac-64@openssh.com
1163a0ee8cc6SDag-Erling Smørgrav.It
1164a0ee8cc6SDag-Erling Smørgravumac-128@openssh.com
1165a0ee8cc6SDag-Erling Smørgrav.It
1166a0ee8cc6SDag-Erling Smørgravhmac-md5-etm@openssh.com
1167a0ee8cc6SDag-Erling Smørgrav.It
1168a0ee8cc6SDag-Erling Smørgravhmac-md5-96-etm@openssh.com
1169a0ee8cc6SDag-Erling Smørgrav.It
1170a0ee8cc6SDag-Erling Smørgravhmac-sha1-etm@openssh.com
1171a0ee8cc6SDag-Erling Smørgrav.It
1172a0ee8cc6SDag-Erling Smørgravhmac-sha1-96-etm@openssh.com
1173a0ee8cc6SDag-Erling Smørgrav.It
1174a0ee8cc6SDag-Erling Smørgravhmac-sha2-256-etm@openssh.com
1175a0ee8cc6SDag-Erling Smørgrav.It
1176a0ee8cc6SDag-Erling Smørgravhmac-sha2-512-etm@openssh.com
1177a0ee8cc6SDag-Erling Smørgrav.It
1178a0ee8cc6SDag-Erling Smørgravumac-64-etm@openssh.com
1179a0ee8cc6SDag-Erling Smørgrav.It
1180a0ee8cc6SDag-Erling Smørgravumac-128-etm@openssh.com
1181a0ee8cc6SDag-Erling Smørgrav.El
1182a0ee8cc6SDag-Erling Smørgrav.Pp
1183333ee039SDag-Erling SmørgravThe default is:
1184d4af9e69SDag-Erling Smørgrav.Bd -literal -offset indent
11856888a9beSDag-Erling Smørgravumac-64-etm@openssh.com,umac-128-etm@openssh.com,
11866888a9beSDag-Erling Smørgravhmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
1187acc1a9efSDag-Erling Smørgravhmac-sha1-etm@openssh.com,
1188a0ee8cc6SDag-Erling Smørgravumac-64@openssh.com,umac-128@openssh.com,
1189acc1a9efSDag-Erling Smørgravhmac-sha2-256,hmac-sha2-512,hmac-sha1
1190d4af9e69SDag-Erling Smørgrav.Ed
1191bc5531deSDag-Erling Smørgrav.Pp
1192ca86bcf2SDag-Erling SmørgravThe list of available MAC algorithms may also be obtained using
1193ca86bcf2SDag-Erling Smørgrav.Qq ssh -Q mac .
1194333ee039SDag-Erling Smørgrav.It Cm Match
1195333ee039SDag-Erling SmørgravIntroduces a conditional block.
1196333ee039SDag-Erling SmørgravIf all of the criteria on the
1197333ee039SDag-Erling Smørgrav.Cm Match
1198333ee039SDag-Erling Smørgravline are satisfied, the keywords on the following lines override those
1199333ee039SDag-Erling Smørgravset in the global section of the config file, until either another
1200333ee039SDag-Erling Smørgrav.Cm Match
1201333ee039SDag-Erling Smørgravline or the end of the file.
1202b83788ffSDag-Erling SmørgravIf a keyword appears in multiple
1203b83788ffSDag-Erling Smørgrav.Cm Match
1204bc5531deSDag-Erling Smørgravblocks that are satisfied, only the first instance of the keyword is
1205b83788ffSDag-Erling Smørgravapplied.
1206d4af9e69SDag-Erling Smørgrav.Pp
1207333ee039SDag-Erling SmørgravThe arguments to
1208333ee039SDag-Erling Smørgrav.Cm Match
1209f7167e0eSDag-Erling Smørgravare one or more criteria-pattern pairs or the single token
1210f7167e0eSDag-Erling Smørgrav.Cm All
1211f7167e0eSDag-Erling Smørgravwhich matches all criteria.
1212333ee039SDag-Erling SmørgravThe available criteria are
1213333ee039SDag-Erling Smørgrav.Cm User ,
1214333ee039SDag-Erling Smørgrav.Cm Group ,
1215333ee039SDag-Erling Smørgrav.Cm Host ,
1216462c32cbSDag-Erling Smørgrav.Cm LocalAddress ,
1217462c32cbSDag-Erling Smørgrav.Cm LocalPort ,
121847dd1d1bSDag-Erling Smørgrav.Cm RDomain ,
1219333ee039SDag-Erling Smørgravand
122047dd1d1bSDag-Erling Smørgrav.Cm Address
122147dd1d1bSDag-Erling Smørgrav(with
122247dd1d1bSDag-Erling Smørgrav.Cm RDomain
122347dd1d1bSDag-Erling Smørgravrepresenting the
122447dd1d1bSDag-Erling Smørgrav.Xr rdomain 4
122519261079SEd Masteon which the connection was received).
122647dd1d1bSDag-Erling Smørgrav.Pp
1227d4af9e69SDag-Erling SmørgravThe match patterns may consist of single entries or comma-separated
1228d4af9e69SDag-Erling Smørgravlists and may use the wildcard and negation operators described in the
1229ca86bcf2SDag-Erling Smørgrav.Sx PATTERNS
1230ca86bcf2SDag-Erling Smørgravsection of
1231d4af9e69SDag-Erling Smørgrav.Xr ssh_config 5 .
1232d4af9e69SDag-Erling Smørgrav.Pp
1233d4af9e69SDag-Erling SmørgravThe patterns in an
1234d4af9e69SDag-Erling Smørgrav.Cm Address
1235d4af9e69SDag-Erling Smørgravcriteria may additionally contain addresses to match in CIDR
1236ca86bcf2SDag-Erling Smørgravaddress/masklen format,
1237ca86bcf2SDag-Erling Smørgravsuch as 192.0.2.0/24 or 2001:db8::/32.
1238d4af9e69SDag-Erling SmørgravNote that the mask length provided must be consistent with the address -
1239d4af9e69SDag-Erling Smørgravit is an error to specify a mask length that is too long for the address
1240d4af9e69SDag-Erling Smørgravor one with bits set in this host portion of the address.
1241ca86bcf2SDag-Erling SmørgravFor example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
1242d4af9e69SDag-Erling Smørgrav.Pp
1243333ee039SDag-Erling SmørgravOnly a subset of keywords may be used on the lines following a
1244333ee039SDag-Erling Smørgrav.Cm Match
1245333ee039SDag-Erling Smørgravkeyword.
1246333ee039SDag-Erling SmørgravAvailable keywords are
1247462c32cbSDag-Erling Smørgrav.Cm AcceptEnv ,
1248cce7d346SDag-Erling Smørgrav.Cm AllowAgentForwarding ,
1249462c32cbSDag-Erling Smørgrav.Cm AllowGroups ,
1250bc5531deSDag-Erling Smørgrav.Cm AllowStreamLocalForwarding ,
1251333ee039SDag-Erling Smørgrav.Cm AllowTcpForwarding ,
1252462c32cbSDag-Erling Smørgrav.Cm AllowUsers ,
12536888a9beSDag-Erling Smørgrav.Cm AuthenticationMethods ,
12546888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysCommand ,
12556888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysCommandUser ,
1256e2f6069cSDag-Erling Smørgrav.Cm AuthorizedKeysFile ,
1257acc1a9efSDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand ,
1258acc1a9efSDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommandUser ,
1259e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile ,
1260d4af9e69SDag-Erling Smørgrav.Cm Banner ,
12611323ec57SEd Maste.Cm CASignatureAlgorithms ,
1262*f374ba41SEd Maste.Cm ChannelTimeout ,
1263d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory ,
1264ca86bcf2SDag-Erling Smørgrav.Cm ClientAliveCountMax ,
1265ca86bcf2SDag-Erling Smørgrav.Cm ClientAliveInterval ,
1266462c32cbSDag-Erling Smørgrav.Cm DenyGroups ,
1267462c32cbSDag-Erling Smørgrav.Cm DenyUsers ,
126819261079SEd Maste.Cm DisableForwarding ,
12691323ec57SEd Maste.Cm ExposeAuthInfo ,
1270333ee039SDag-Erling Smørgrav.Cm ForceCommand ,
1271333ee039SDag-Erling Smørgrav.Cm GatewayPorts ,
1272d4af9e69SDag-Erling Smørgrav.Cm GSSAPIAuthentication ,
127319261079SEd Maste.Cm HostbasedAcceptedAlgorithms ,
1274d4af9e69SDag-Erling Smørgrav.Cm HostbasedAuthentication ,
1275e2f6069cSDag-Erling Smørgrav.Cm HostbasedUsesNameFromPacketOnly ,
127619261079SEd Maste.Cm IgnoreRhosts ,
127719261079SEd Maste.Cm Include ,
1278bc5531deSDag-Erling Smørgrav.Cm IPQoS ,
1279d4af9e69SDag-Erling Smørgrav.Cm KbdInteractiveAuthentication ,
1280d4af9e69SDag-Erling Smørgrav.Cm KerberosAuthentication ,
12814f52dfbbSDag-Erling Smørgrav.Cm LogLevel ,
1282d4af9e69SDag-Erling Smørgrav.Cm MaxAuthTries ,
1283d4af9e69SDag-Erling Smørgrav.Cm MaxSessions ,
1284d4af9e69SDag-Erling Smørgrav.Cm PasswordAuthentication ,
1285cce7d346SDag-Erling Smørgrav.Cm PermitEmptyPasswords ,
1286190cef3dSDag-Erling Smørgrav.Cm PermitListen ,
1287333ee039SDag-Erling Smørgrav.Cm PermitOpen ,
1288d4af9e69SDag-Erling Smørgrav.Cm PermitRootLogin ,
1289f7167e0eSDag-Erling Smørgrav.Cm PermitTTY ,
1290e2f6069cSDag-Erling Smørgrav.Cm PermitTunnel ,
1291a0ee8cc6SDag-Erling Smørgrav.Cm PermitUserRC ,
129219261079SEd Maste.Cm PubkeyAcceptedAlgorithms ,
1293b15c8340SDag-Erling Smørgrav.Cm PubkeyAuthentication ,
12941323ec57SEd Maste.Cm PubkeyAuthOptions ,
1295e4a9863fSDag-Erling Smørgrav.Cm RekeyLimit ,
1296bc5531deSDag-Erling Smørgrav.Cm RevokedKeys ,
129747dd1d1bSDag-Erling Smørgrav.Cm RDomain ,
1298190cef3dSDag-Erling Smørgrav.Cm SetEnv ,
1299bc5531deSDag-Erling Smørgrav.Cm StreamLocalBindMask ,
1300bc5531deSDag-Erling Smørgrav.Cm StreamLocalBindUnlink ,
1301bc5531deSDag-Erling Smørgrav.Cm TrustedUserCAKeys ,
1302*f374ba41SEd Maste.Cm UnusedConnectionTimeout ,
1303333ee039SDag-Erling Smørgrav.Cm X11DisplayOffset ,
1304cce7d346SDag-Erling Smørgrav.Cm X11Forwarding
1305333ee039SDag-Erling Smørgravand
130619261079SEd Maste.Cm X11UseLocalhost .
130721e764dfSDag-Erling Smørgrav.It Cm MaxAuthTries
130821e764dfSDag-Erling SmørgravSpecifies the maximum number of authentication attempts permitted per
130921e764dfSDag-Erling Smørgravconnection.
131021e764dfSDag-Erling SmørgravOnce the number of failures reaches half this value,
131121e764dfSDag-Erling Smørgravadditional failures are logged.
131221e764dfSDag-Erling SmørgravThe default is 6.
1313d4af9e69SDag-Erling Smørgrav.It Cm MaxSessions
1314acc1a9efSDag-Erling SmørgravSpecifies the maximum number of open shell, login or subsystem (e.g. sftp)
1315acc1a9efSDag-Erling Smørgravsessions permitted per network connection.
1316acc1a9efSDag-Erling SmørgravMultiple sessions may be established by clients that support connection
1317acc1a9efSDag-Erling Smørgravmultiplexing.
1318acc1a9efSDag-Erling SmørgravSetting
1319acc1a9efSDag-Erling Smørgrav.Cm MaxSessions
1320acc1a9efSDag-Erling Smørgravto 1 will effectively disable session multiplexing, whereas setting it to 0
1321acc1a9efSDag-Erling Smørgravwill prevent all shell, login and subsystem sessions while still permitting
1322acc1a9efSDag-Erling Smørgravforwarding.
1323d4af9e69SDag-Erling SmørgravThe default is 10.
1324545d5ecaSDag-Erling Smørgrav.It Cm MaxStartups
1325545d5ecaSDag-Erling SmørgravSpecifies the maximum number of concurrent unauthenticated connections to the
1326333ee039SDag-Erling SmørgravSSH daemon.
1327545d5ecaSDag-Erling SmørgravAdditional connections will be dropped until authentication succeeds or the
1328545d5ecaSDag-Erling Smørgrav.Cm LoginGraceTime
1329545d5ecaSDag-Erling Smørgravexpires for a connection.
13306888a9beSDag-Erling SmørgravThe default is 10:30:100.
1331545d5ecaSDag-Erling Smørgrav.Pp
1332545d5ecaSDag-Erling SmørgravAlternatively, random early drop can be enabled by specifying
1333545d5ecaSDag-Erling Smørgravthe three colon separated values
1334ca86bcf2SDag-Erling Smørgravstart:rate:full (e.g. "10:30:60").
1335333ee039SDag-Erling Smørgrav.Xr sshd 8
1336ca86bcf2SDag-Erling Smørgravwill refuse connection attempts with a probability of rate/100 (30%)
1337ca86bcf2SDag-Erling Smørgravif there are currently start (10) unauthenticated connections.
1338545d5ecaSDag-Erling SmørgravThe probability increases linearly and all connection attempts
1339ca86bcf2SDag-Erling Smørgravare refused if the number of unauthenticated connections reaches full (60).
134019261079SEd Maste.It Cm ModuliFile
134119261079SEd MasteSpecifies the
134219261079SEd Maste.Xr moduli 5
134319261079SEd Mastefile that contains the Diffie-Hellman groups used for the
134419261079SEd Maste.Dq diffie-hellman-group-exchange-sha1
134519261079SEd Masteand
134619261079SEd Maste.Dq diffie-hellman-group-exchange-sha256
134719261079SEd Mastekey exchange methods.
134819261079SEd MasteThe default is
134919261079SEd Maste.Pa /etc/moduli .
1350545d5ecaSDag-Erling Smørgrav.It Cm PasswordAuthentication
1351545d5ecaSDag-Erling SmørgravSpecifies whether password authentication is allowed.
13529f009e06SEd MasteNote that passwords may also be accepted via
13539f009e06SEd Maste.Cm KbdInteractiveAuthentication .
1354d4af9e69SDag-Erling SmørgravSee also
1355d4af9e69SDag-Erling Smørgrav.Cm UsePAM .
1356545d5ecaSDag-Erling SmørgravThe default is
1357ca86bcf2SDag-Erling Smørgrav.Cm no .
1358545d5ecaSDag-Erling Smørgrav.It Cm PermitEmptyPasswords
1359545d5ecaSDag-Erling SmørgravWhen password authentication is allowed, it specifies whether the
1360545d5ecaSDag-Erling Smørgravserver allows login to accounts with empty password strings.
1361545d5ecaSDag-Erling SmørgravThe default is
1362ca86bcf2SDag-Erling Smørgrav.Cm no .
1363190cef3dSDag-Erling Smørgrav.It Cm PermitListen
1364190cef3dSDag-Erling SmørgravSpecifies the addresses/ports on which a remote TCP port forwarding may listen.
1365190cef3dSDag-Erling SmørgravThe listen specification must be one of the following forms:
1366190cef3dSDag-Erling Smørgrav.Pp
1367190cef3dSDag-Erling Smørgrav.Bl -item -offset indent -compact
1368190cef3dSDag-Erling Smørgrav.It
1369190cef3dSDag-Erling Smørgrav.Cm PermitListen
1370190cef3dSDag-Erling Smørgrav.Sm off
1371190cef3dSDag-Erling Smørgrav.Ar port
1372190cef3dSDag-Erling Smørgrav.Sm on
1373190cef3dSDag-Erling Smørgrav.It
1374190cef3dSDag-Erling Smørgrav.Cm PermitListen
1375190cef3dSDag-Erling Smørgrav.Sm off
1376190cef3dSDag-Erling Smørgrav.Ar host : port
1377190cef3dSDag-Erling Smørgrav.Sm on
1378190cef3dSDag-Erling Smørgrav.El
1379190cef3dSDag-Erling Smørgrav.Pp
1380190cef3dSDag-Erling SmørgravMultiple permissions may be specified by separating them with whitespace.
1381190cef3dSDag-Erling SmørgravAn argument of
1382190cef3dSDag-Erling Smørgrav.Cm any
1383190cef3dSDag-Erling Smørgravcan be used to remove all restrictions and permit any listen requests.
1384190cef3dSDag-Erling SmørgravAn argument of
1385190cef3dSDag-Erling Smørgrav.Cm none
1386190cef3dSDag-Erling Smørgravcan be used to prohibit all listen requests.
1387190cef3dSDag-Erling SmørgravThe host name may contain wildcards as described in the PATTERNS section in
1388190cef3dSDag-Erling Smørgrav.Xr ssh_config 5 .
1389190cef3dSDag-Erling SmørgravThe wildcard
1390190cef3dSDag-Erling Smørgrav.Sq *
1391190cef3dSDag-Erling Smørgravcan also be used in place of a port number to allow all ports.
1392190cef3dSDag-Erling SmørgravBy default all port forwarding listen requests are permitted.
1393190cef3dSDag-Erling SmørgravNote that the
1394190cef3dSDag-Erling Smørgrav.Cm GatewayPorts
1395190cef3dSDag-Erling Smørgravoption may further restrict which addresses may be listened on.
1396190cef3dSDag-Erling SmørgravNote also that
1397190cef3dSDag-Erling Smørgrav.Xr ssh 1
1398190cef3dSDag-Erling Smørgravwill request a listen host of
1399190cef3dSDag-Erling Smørgrav.Dq localhost
140019261079SEd Masteif no listen host was specifically requested, and this name is
1401190cef3dSDag-Erling Smørgravtreated differently to explicit localhost addresses of
1402190cef3dSDag-Erling Smørgrav.Dq 127.0.0.1
1403190cef3dSDag-Erling Smørgravand
1404190cef3dSDag-Erling Smørgrav.Dq ::1 .
1405333ee039SDag-Erling Smørgrav.It Cm PermitOpen
1406333ee039SDag-Erling SmørgravSpecifies the destinations to which TCP port forwarding is permitted.
1407333ee039SDag-Erling SmørgravThe forwarding specification must be one of the following forms:
1408333ee039SDag-Erling Smørgrav.Pp
1409333ee039SDag-Erling Smørgrav.Bl -item -offset indent -compact
1410333ee039SDag-Erling Smørgrav.It
1411333ee039SDag-Erling Smørgrav.Cm PermitOpen
1412333ee039SDag-Erling Smørgrav.Sm off
1413333ee039SDag-Erling Smørgrav.Ar host : port
1414333ee039SDag-Erling Smørgrav.Sm on
1415333ee039SDag-Erling Smørgrav.It
1416333ee039SDag-Erling Smørgrav.Cm PermitOpen
1417333ee039SDag-Erling Smørgrav.Sm off
1418333ee039SDag-Erling Smørgrav.Ar IPv4_addr : port
1419333ee039SDag-Erling Smørgrav.Sm on
1420333ee039SDag-Erling Smørgrav.It
1421333ee039SDag-Erling Smørgrav.Cm PermitOpen
1422333ee039SDag-Erling Smørgrav.Sm off
1423333ee039SDag-Erling Smørgrav.Ar \&[ IPv6_addr \&] : port
1424333ee039SDag-Erling Smørgrav.Sm on
1425333ee039SDag-Erling Smørgrav.El
1426333ee039SDag-Erling Smørgrav.Pp
1427333ee039SDag-Erling SmørgravMultiple forwards may be specified by separating them with whitespace.
1428333ee039SDag-Erling SmørgravAn argument of
1429ca86bcf2SDag-Erling Smørgrav.Cm any
1430333ee039SDag-Erling Smørgravcan be used to remove all restrictions and permit any forwarding requests.
1431462c32cbSDag-Erling SmørgravAn argument of
1432ca86bcf2SDag-Erling Smørgrav.Cm none
1433462c32cbSDag-Erling Smørgravcan be used to prohibit all forwarding requests.
1434076ad2f8SDag-Erling SmørgravThe wildcard
1435ca86bcf2SDag-Erling Smørgrav.Sq *
143619261079SEd Mastecan be used for host or port to allow all hosts or ports respectively.
143719261079SEd MasteOtherwise, no pattern matching or address lookups are performed on supplied
143819261079SEd Mastenames.
1439333ee039SDag-Erling SmørgravBy default all port forwarding requests are permitted.
1440545d5ecaSDag-Erling Smørgrav.It Cm PermitRootLogin
1441545d5ecaSDag-Erling SmørgravSpecifies whether root can log in using
1442545d5ecaSDag-Erling Smørgrav.Xr ssh 1 .
1443545d5ecaSDag-Erling SmørgravThe argument must be
1444ca86bcf2SDag-Erling Smørgrav.Cm yes ,
1445ca86bcf2SDag-Erling Smørgrav.Cm prohibit-password ,
1446ca86bcf2SDag-Erling Smørgrav.Cm forced-commands-only ,
1447545d5ecaSDag-Erling Smørgravor
1448ca86bcf2SDag-Erling Smørgrav.Cm no .
1449545d5ecaSDag-Erling SmørgravThe default is
1450ca86bcf2SDag-Erling Smørgrav.Cm no .
1451810a15b1SDag-Erling SmørgravNote that if
1452810a15b1SDag-Erling Smørgrav.Cm ChallengeResponseAuthentication
1453ca86bcf2SDag-Erling Smørgravand
1454ca86bcf2SDag-Erling Smørgrav.Cm UsePAM
1455ca86bcf2SDag-Erling Smørgravare both
1456ca86bcf2SDag-Erling Smørgrav.Cm yes ,
1457ca86bcf2SDag-Erling Smørgravthis setting may be overridden by the PAM policy.
1458545d5ecaSDag-Erling Smørgrav.Pp
1459545d5ecaSDag-Erling SmørgravIf this option is set to
1460ca86bcf2SDag-Erling Smørgrav.Cm prohibit-password
146147dd1d1bSDag-Erling Smørgrav(or its deprecated alias,
146247dd1d1bSDag-Erling Smørgrav.Cm without-password ) ,
1463eccfee6eSDag-Erling Smørgravpassword and keyboard-interactive authentication are disabled for root.
1464545d5ecaSDag-Erling Smørgrav.Pp
1465545d5ecaSDag-Erling SmørgravIf this option is set to
1466ca86bcf2SDag-Erling Smørgrav.Cm forced-commands-only ,
1467545d5ecaSDag-Erling Smørgravroot login with public key authentication will be allowed,
1468545d5ecaSDag-Erling Smørgravbut only if the
1469545d5ecaSDag-Erling Smørgrav.Ar command
1470545d5ecaSDag-Erling Smørgravoption has been specified
1471545d5ecaSDag-Erling Smørgrav(which may be useful for taking remote backups even if root login is
1472cf2b5f3bSDag-Erling Smørgravnormally not allowed).
1473cf2b5f3bSDag-Erling SmørgravAll other authentication methods are disabled for root.
1474545d5ecaSDag-Erling Smørgrav.Pp
1475545d5ecaSDag-Erling SmørgravIf this option is set to
1476ca86bcf2SDag-Erling Smørgrav.Cm no ,
1477545d5ecaSDag-Erling Smørgravroot is not allowed to log in.
1478f7167e0eSDag-Erling Smørgrav.It Cm PermitTTY
1479f7167e0eSDag-Erling SmørgravSpecifies whether
1480f7167e0eSDag-Erling Smørgrav.Xr pty 4
1481f7167e0eSDag-Erling Smørgravallocation is permitted.
1482f7167e0eSDag-Erling SmørgravThe default is
1483ca86bcf2SDag-Erling Smørgrav.Cm yes .
1484ca86bcf2SDag-Erling Smørgrav.It Cm PermitTunnel
1485ca86bcf2SDag-Erling SmørgravSpecifies whether
1486ca86bcf2SDag-Erling Smørgrav.Xr tun 4
1487ca86bcf2SDag-Erling Smørgravdevice forwarding is allowed.
1488ca86bcf2SDag-Erling SmørgravThe argument must be
1489ca86bcf2SDag-Erling Smørgrav.Cm yes ,
1490ca86bcf2SDag-Erling Smørgrav.Cm point-to-point
1491ca86bcf2SDag-Erling Smørgrav(layer 3),
1492ca86bcf2SDag-Erling Smørgrav.Cm ethernet
1493ca86bcf2SDag-Erling Smørgrav(layer 2), or
1494ca86bcf2SDag-Erling Smørgrav.Cm no .
1495ca86bcf2SDag-Erling SmørgravSpecifying
1496ca86bcf2SDag-Erling Smørgrav.Cm yes
1497ca86bcf2SDag-Erling Smørgravpermits both
1498ca86bcf2SDag-Erling Smørgrav.Cm point-to-point
1499ca86bcf2SDag-Erling Smørgravand
1500ca86bcf2SDag-Erling Smørgrav.Cm ethernet .
1501ca86bcf2SDag-Erling SmørgravThe default is
1502ca86bcf2SDag-Erling Smørgrav.Cm no .
1503ca86bcf2SDag-Erling Smørgrav.Pp
1504ca86bcf2SDag-Erling SmørgravIndependent of this setting, the permissions of the selected
1505ca86bcf2SDag-Erling Smørgrav.Xr tun 4
1506ca86bcf2SDag-Erling Smørgravdevice must allow access to the user.
1507f388f5efSDag-Erling Smørgrav.It Cm PermitUserEnvironment
1508f388f5efSDag-Erling SmørgravSpecifies whether
1509f388f5efSDag-Erling Smørgrav.Pa ~/.ssh/environment
1510f388f5efSDag-Erling Smørgravand
1511f388f5efSDag-Erling Smørgrav.Cm environment=
1512f388f5efSDag-Erling Smørgravoptions in
1513f388f5efSDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys
1514f388f5efSDag-Erling Smørgravare processed by
1515333ee039SDag-Erling Smørgrav.Xr sshd 8 .
1516190cef3dSDag-Erling SmørgravValid options are
1517190cef3dSDag-Erling Smørgrav.Cm yes ,
1518190cef3dSDag-Erling Smørgrav.Cm no
1519190cef3dSDag-Erling Smørgravor a pattern-list specifying which environment variable names to accept
1520190cef3dSDag-Erling Smørgrav(for example
1521190cef3dSDag-Erling Smørgrav.Qq LANG,LC_* ) .
1522f388f5efSDag-Erling SmørgravThe default is
1523ca86bcf2SDag-Erling Smørgrav.Cm no .
1524f388f5efSDag-Erling SmørgravEnabling environment processing may enable users to bypass access
1525f388f5efSDag-Erling Smørgravrestrictions in some configurations using mechanisms such as
1526f388f5efSDag-Erling Smørgrav.Ev LD_PRELOAD .
1527a0ee8cc6SDag-Erling Smørgrav.It Cm PermitUserRC
1528a0ee8cc6SDag-Erling SmørgravSpecifies whether any
1529a0ee8cc6SDag-Erling Smørgrav.Pa ~/.ssh/rc
1530a0ee8cc6SDag-Erling Smørgravfile is executed.
1531a0ee8cc6SDag-Erling SmørgravThe default is
1532ca86bcf2SDag-Erling Smørgrav.Cm yes .
153319261079SEd Maste.It Cm PerSourceMaxStartups
153419261079SEd MasteSpecifies the number of unauthenticated connections allowed from a
153519261079SEd Mastegiven source address, or
153619261079SEd Maste.Dq none
153719261079SEd Masteif there is no limit.
153819261079SEd MasteThis limit is applied in addition to
153919261079SEd Maste.Cm MaxStartups ,
154019261079SEd Mastewhichever is lower.
154119261079SEd MasteThe default is
154219261079SEd Maste.Cm none .
154319261079SEd Maste.It Cm PerSourceNetBlockSize
154419261079SEd MasteSpecifies the number of bits of source address that are grouped together
154519261079SEd Mastefor the purposes of applying PerSourceMaxStartups limits.
154619261079SEd MasteValues for IPv4 and optionally IPv6 may be specified, separated by a colon.
154719261079SEd MasteThe default is
154819261079SEd Maste.Cm 32:128 ,
154919261079SEd Mastewhich means each address is considered individually.
1550545d5ecaSDag-Erling Smørgrav.It Cm PidFile
1551a82e551fSDag-Erling SmørgravSpecifies the file that contains the process ID of the
1552557f75e5SDag-Erling SmørgravSSH daemon, or
1553ca86bcf2SDag-Erling Smørgrav.Cm none
1554557f75e5SDag-Erling Smørgravto not write one.
1555545d5ecaSDag-Erling SmørgravThe default is
1556545d5ecaSDag-Erling Smørgrav.Pa /var/run/sshd.pid .
1557545d5ecaSDag-Erling Smørgrav.It Cm Port
1558545d5ecaSDag-Erling SmørgravSpecifies the port number that
1559333ee039SDag-Erling Smørgrav.Xr sshd 8
1560545d5ecaSDag-Erling Smørgravlistens on.
1561545d5ecaSDag-Erling SmørgravThe default is 22.
1562545d5ecaSDag-Erling SmørgravMultiple options of this type are permitted.
1563545d5ecaSDag-Erling SmørgravSee also
1564545d5ecaSDag-Erling Smørgrav.Cm ListenAddress .
1565545d5ecaSDag-Erling Smørgrav.It Cm PrintLastLog
1566545d5ecaSDag-Erling SmørgravSpecifies whether
1567333ee039SDag-Erling Smørgrav.Xr sshd 8
1568aa49c926SDag-Erling Smørgravshould print the date and time of the last user login when a user logs
1569aa49c926SDag-Erling Smørgravin interactively.
1570545d5ecaSDag-Erling SmørgravThe default is
1571ca86bcf2SDag-Erling Smørgrav.Cm yes .
1572545d5ecaSDag-Erling Smørgrav.It Cm PrintMotd
1573545d5ecaSDag-Erling SmørgravSpecifies whether
1574333ee039SDag-Erling Smørgrav.Xr sshd 8
1575545d5ecaSDag-Erling Smørgravshould print
1576545d5ecaSDag-Erling Smørgrav.Pa /etc/motd
1577545d5ecaSDag-Erling Smørgravwhen a user logs in interactively.
1578545d5ecaSDag-Erling Smørgrav(On some systems it is also printed by the shell,
1579545d5ecaSDag-Erling Smørgrav.Pa /etc/profile ,
1580545d5ecaSDag-Erling Smørgravor equivalent.)
1581545d5ecaSDag-Erling SmørgravThe default is
1582ca86bcf2SDag-Erling Smørgrav.Cm yes .
158319261079SEd Maste.It Cm PubkeyAcceptedAlgorithms
158419261079SEd MasteSpecifies the signature algorithms that will be accepted for public key
158519261079SEd Masteauthentication as a list of comma-separated patterns.
158619261079SEd MasteAlternately if the specified list begins with a
1587eccfee6eSDag-Erling Smørgrav.Sq +
158819261079SEd Mastecharacter, then the specified algorithms will be appended to the default set
1589eccfee6eSDag-Erling Smørgravinstead of replacing them.
159019261079SEd MasteIf the specified list begins with a
1591d93a896eSDag-Erling Smørgrav.Sq -
159219261079SEd Mastecharacter, then the specified algorithms (including wildcards) will be removed
1593d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them.
159419261079SEd MasteIf the specified list begins with a
159519261079SEd Maste.Sq ^
159619261079SEd Mastecharacter, then the specified algorithms will be placed at the head of the
159719261079SEd Mastedefault set.
1598eccfee6eSDag-Erling SmørgravThe default for this option is:
1599eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n
160019261079SEd Mastessh-ed25519-cert-v01@openssh.com,
1601eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com,
1602eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com,
1603eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com,
160419261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com,
160519261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
160619261079SEd Mastersa-sha2-512-cert-v01@openssh.com,
160719261079SEd Mastersa-sha2-256-cert-v01@openssh.com,
160819261079SEd Mastessh-ed25519,
16099ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
161019261079SEd Mastesk-ssh-ed25519@openssh.com,
161119261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com,
1612cea0d368SEd Mastersa-sha2-512,rsa-sha2-256
1613eccfee6eSDag-Erling Smørgrav.Ed
1614eccfee6eSDag-Erling Smørgrav.Pp
161519261079SEd MasteThe list of available signature algorithms may also be obtained using
161619261079SEd Maste.Qq ssh -Q PubkeyAcceptedAlgorithms .
161719261079SEd Maste.It Cm PubkeyAuthOptions
161819261079SEd MasteSets one or more public key authentication options.
161919261079SEd MasteThe supported keywords are:
162019261079SEd Maste.Cm none
162119261079SEd Maste(the default; indicating no additional options are enabled),
162219261079SEd Maste.Cm touch-required
162319261079SEd Masteand
162419261079SEd Maste.Cm verify-required .
162519261079SEd Maste.Pp
162619261079SEd MasteThe
162719261079SEd Maste.Cm touch-required
162819261079SEd Masteoption causes public key authentication using a FIDO authenticator algorithm
162919261079SEd Maste(i.e.\&
163019261079SEd Maste.Cm ecdsa-sk
163119261079SEd Masteor
163219261079SEd Maste.Cm ed25519-sk )
163319261079SEd Masteto always require the signature to attest that a physically present user
163419261079SEd Masteexplicitly confirmed the authentication (usually by touching the authenticator).
163519261079SEd MasteBy default,
163619261079SEd Maste.Xr sshd 8
163719261079SEd Masterequires user presence unless overridden with an authorized_keys option.
163819261079SEd MasteThe
163919261079SEd Maste.Cm touch-required
164019261079SEd Masteflag disables this override.
164119261079SEd Maste.Pp
164219261079SEd MasteThe
164319261079SEd Maste.Cm verify-required
164419261079SEd Masteoption requires a FIDO key signature attest that the user was verified,
164519261079SEd Mastee.g. via a PIN.
164619261079SEd Maste.Pp
164719261079SEd MasteNeither the
164819261079SEd Maste.Cm touch-required
164919261079SEd Masteor
165019261079SEd Maste.Cm verify-required
165119261079SEd Masteoptions have any effect for other, non-FIDO, public key types.
1652545d5ecaSDag-Erling Smørgrav.It Cm PubkeyAuthentication
1653545d5ecaSDag-Erling SmørgravSpecifies whether public key authentication is allowed.
1654545d5ecaSDag-Erling SmørgravThe default is
1655ca86bcf2SDag-Erling Smørgrav.Cm yes .
1656e4a9863fSDag-Erling Smørgrav.It Cm RekeyLimit
165738a52bd3SEd MasteSpecifies the maximum amount of data that may be transmitted or received
165838a52bd3SEd Mastebefore the session key is renegotiated, optionally followed by a maximum
165938a52bd3SEd Masteamount of time that may pass before the session key is renegotiated.
1660e4a9863fSDag-Erling SmørgravThe first argument is specified in bytes and may have a suffix of
1661e4a9863fSDag-Erling Smørgrav.Sq K ,
1662e4a9863fSDag-Erling Smørgrav.Sq M ,
1663e4a9863fSDag-Erling Smørgravor
1664e4a9863fSDag-Erling Smørgrav.Sq G
1665e4a9863fSDag-Erling Smørgravto indicate Kilobytes, Megabytes, or Gigabytes, respectively.
1666e4a9863fSDag-Erling SmørgravThe default is between
1667e4a9863fSDag-Erling Smørgrav.Sq 1G
1668e4a9863fSDag-Erling Smørgravand
1669e4a9863fSDag-Erling Smørgrav.Sq 4G ,
1670e4a9863fSDag-Erling Smørgravdepending on the cipher.
1671e4a9863fSDag-Erling SmørgravThe optional second value is specified in seconds and may use any of the
1672e4a9863fSDag-Erling Smørgravunits documented in the
1673e4a9863fSDag-Erling Smørgrav.Sx TIME FORMATS
1674e4a9863fSDag-Erling Smørgravsection.
1675e4a9863fSDag-Erling SmørgravThe default value for
1676e4a9863fSDag-Erling Smørgrav.Cm RekeyLimit
1677e4a9863fSDag-Erling Smørgravis
1678ca86bcf2SDag-Erling Smørgrav.Cm default none ,
1679e4a9863fSDag-Erling Smørgravwhich means that rekeying is performed after the cipher's default amount
1680e4a9863fSDag-Erling Smørgravof data has been sent or received and no time based rekeying is done.
168138a52bd3SEd Maste.It Cm RequiredRSASize
168238a52bd3SEd MasteSpecifies the minimum RSA key size (in bits) that
168338a52bd3SEd Maste.Xr sshd 8
168438a52bd3SEd Mastewill accept.
168538a52bd3SEd MasteUser and host-based authentication keys smaller than this limit will be
168638a52bd3SEd Masterefused.
168738a52bd3SEd MasteThe default is
168838a52bd3SEd Maste.Cm 1024
168938a52bd3SEd Mastebits.
169038a52bd3SEd MasteNote that this limit may only be raised from the default.
1691b15c8340SDag-Erling Smørgrav.It Cm RevokedKeys
1692557f75e5SDag-Erling SmørgravSpecifies revoked public keys file, or
1693ca86bcf2SDag-Erling Smørgrav.Cm none
1694557f75e5SDag-Erling Smørgravto not use one.
1695b15c8340SDag-Erling SmørgravKeys listed in this file will be refused for public key authentication.
1696b15c8340SDag-Erling SmørgravNote that if this file is not readable, then public key authentication will
1697b15c8340SDag-Erling Smørgravbe refused for all users.
16986888a9beSDag-Erling SmørgravKeys may be specified as a text file, listing one public key per line, or as
16996888a9beSDag-Erling Smørgravan OpenSSH Key Revocation List (KRL) as generated by
17006888a9beSDag-Erling Smørgrav.Xr ssh-keygen 1 .
1701e4a9863fSDag-Erling SmørgravFor more information on KRLs, see the KEY REVOCATION LISTS section in
17026888a9beSDag-Erling Smørgrav.Xr ssh-keygen 1 .
170347dd1d1bSDag-Erling Smørgrav.It Cm RDomain
170447dd1d1bSDag-Erling SmørgravSpecifies an explicit routing domain that is applied after authentication
170547dd1d1bSDag-Erling Smørgravhas completed.
170619261079SEd MasteThe user session, as well as any forwarded or listening IP sockets,
170747dd1d1bSDag-Erling Smørgravwill be bound to this
170847dd1d1bSDag-Erling Smørgrav.Xr rdomain 4 .
170947dd1d1bSDag-Erling SmørgravIf the routing domain is set to
171047dd1d1bSDag-Erling Smørgrav.Cm \&%D ,
171147dd1d1bSDag-Erling Smørgravthen the domain in which the incoming connection was received will be applied.
171219261079SEd Maste.It Cm SecurityKeyProvider
171319261079SEd MasteSpecifies a path to a library that will be used when loading
171419261079SEd MasteFIDO authenticator-hosted keys, overriding the default of using
171519261079SEd Mastethe built-in USB HID support.
1716190cef3dSDag-Erling Smørgrav.It Cm SetEnv
1717190cef3dSDag-Erling SmørgravSpecifies one or more environment variables to set in child sessions started
1718190cef3dSDag-Erling Smørgravby
1719190cef3dSDag-Erling Smørgrav.Xr sshd 8
1720190cef3dSDag-Erling Smørgravas
1721190cef3dSDag-Erling Smørgrav.Dq NAME=VALUE .
1722190cef3dSDag-Erling SmørgravThe environment value may be quoted (e.g. if it contains whitespace
1723190cef3dSDag-Erling Smørgravcharacters).
1724190cef3dSDag-Erling SmørgravEnvironment variables set by
1725190cef3dSDag-Erling Smørgrav.Cm SetEnv
1726190cef3dSDag-Erling Smørgravoverride the default environment and any variables specified by the user
1727190cef3dSDag-Erling Smørgravvia
1728190cef3dSDag-Erling Smørgrav.Cm AcceptEnv
1729190cef3dSDag-Erling Smørgravor
1730190cef3dSDag-Erling Smørgrav.Cm PermitUserEnvironment .
1731a0ee8cc6SDag-Erling Smørgrav.It Cm StreamLocalBindMask
1732a0ee8cc6SDag-Erling SmørgravSets the octal file creation mode mask
1733a0ee8cc6SDag-Erling Smørgrav.Pq umask
1734a0ee8cc6SDag-Erling Smørgravused when creating a Unix-domain socket file for local or remote
1735a0ee8cc6SDag-Erling Smørgravport forwarding.
1736a0ee8cc6SDag-Erling SmørgravThis option is only used for port forwarding to a Unix-domain socket file.
1737a0ee8cc6SDag-Erling Smørgrav.Pp
1738a0ee8cc6SDag-Erling SmørgravThe default value is 0177, which creates a Unix-domain socket file that is
1739a0ee8cc6SDag-Erling Smørgravreadable and writable only by the owner.
1740a0ee8cc6SDag-Erling SmørgravNote that not all operating systems honor the file mode on Unix-domain
1741a0ee8cc6SDag-Erling Smørgravsocket files.
1742a0ee8cc6SDag-Erling Smørgrav.It Cm StreamLocalBindUnlink
1743a0ee8cc6SDag-Erling SmørgravSpecifies whether to remove an existing Unix-domain socket file for local
1744a0ee8cc6SDag-Erling Smørgravor remote port forwarding before creating a new one.
1745a0ee8cc6SDag-Erling SmørgravIf the socket file already exists and
1746a0ee8cc6SDag-Erling Smørgrav.Cm StreamLocalBindUnlink
1747a0ee8cc6SDag-Erling Smørgravis not enabled,
1748a0ee8cc6SDag-Erling Smørgrav.Nm sshd
1749a0ee8cc6SDag-Erling Smørgravwill be unable to forward the port to the Unix-domain socket file.
1750a0ee8cc6SDag-Erling SmørgravThis option is only used for port forwarding to a Unix-domain socket file.
1751a0ee8cc6SDag-Erling Smørgrav.Pp
1752a0ee8cc6SDag-Erling SmørgravThe argument must be
1753ca86bcf2SDag-Erling Smørgrav.Cm yes
1754a0ee8cc6SDag-Erling Smørgravor
1755ca86bcf2SDag-Erling Smørgrav.Cm no .
1756a0ee8cc6SDag-Erling SmørgravThe default is
1757ca86bcf2SDag-Erling Smørgrav.Cm no .
1758545d5ecaSDag-Erling Smørgrav.It Cm StrictModes
1759545d5ecaSDag-Erling SmørgravSpecifies whether
1760333ee039SDag-Erling Smørgrav.Xr sshd 8
1761545d5ecaSDag-Erling Smørgravshould check file modes and ownership of the
1762545d5ecaSDag-Erling Smørgravuser's files and home directory before accepting login.
1763545d5ecaSDag-Erling SmørgravThis is normally desirable because novices sometimes accidentally leave their
1764545d5ecaSDag-Erling Smørgravdirectory or files world-writable.
1765545d5ecaSDag-Erling SmørgravThe default is
1766ca86bcf2SDag-Erling Smørgrav.Cm yes .
1767b15c8340SDag-Erling SmørgravNote that this does not apply to
1768b15c8340SDag-Erling Smørgrav.Cm ChrootDirectory ,
1769b15c8340SDag-Erling Smørgravwhose permissions and ownership are checked unconditionally.
1770545d5ecaSDag-Erling Smørgrav.It Cm Subsystem
1771333ee039SDag-Erling SmørgravConfigures an external subsystem (e.g. file transfer daemon).
1772333ee039SDag-Erling SmørgravArguments should be a subsystem name and a command (with optional arguments)
1773333ee039SDag-Erling Smørgravto execute upon subsystem request.
1774d4af9e69SDag-Erling Smørgrav.Pp
1775545d5ecaSDag-Erling SmørgravThe command
1776ca86bcf2SDag-Erling Smørgrav.Cm sftp-server
1777ca86bcf2SDag-Erling Smørgravimplements the SFTP file transfer subsystem.
1778d4af9e69SDag-Erling Smørgrav.Pp
1779d4af9e69SDag-Erling SmørgravAlternately the name
1780ca86bcf2SDag-Erling Smørgrav.Cm internal-sftp
1781ca86bcf2SDag-Erling Smørgravimplements an in-process SFTP server.
1782d4af9e69SDag-Erling SmørgravThis may simplify configurations using
1783d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory
1784d4af9e69SDag-Erling Smørgravto force a different filesystem root on clients.
1785d4af9e69SDag-Erling Smørgrav.Pp
1786545d5ecaSDag-Erling SmørgravBy default no subsystems are defined.
1787545d5ecaSDag-Erling Smørgrav.It Cm SyslogFacility
1788545d5ecaSDag-Erling SmørgravGives the facility code that is used when logging messages from
1789333ee039SDag-Erling Smørgrav.Xr sshd 8 .
1790545d5ecaSDag-Erling SmørgravThe possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
1791545d5ecaSDag-Erling SmørgravLOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
1792545d5ecaSDag-Erling SmørgravThe default is AUTH.
17931ec0d754SDag-Erling Smørgrav.It Cm TCPKeepAlive
17941ec0d754SDag-Erling SmørgravSpecifies whether the system should send TCP keepalive messages to the
17951ec0d754SDag-Erling Smørgravother side.
17961ec0d754SDag-Erling SmørgravIf they are sent, death of the connection or crash of one
17971ec0d754SDag-Erling Smørgravof the machines will be properly noticed.
17981ec0d754SDag-Erling SmørgravHowever, this means that
17991ec0d754SDag-Erling Smørgravconnections will die if the route is down temporarily, and some people
18001ec0d754SDag-Erling Smørgravfind it annoying.
18011ec0d754SDag-Erling SmørgravOn the other hand, if TCP keepalives are not sent,
18021ec0d754SDag-Erling Smørgravsessions may hang indefinitely on the server, leaving
1803ca86bcf2SDag-Erling Smørgrav.Qq ghost
18041ec0d754SDag-Erling Smørgravusers and consuming server resources.
18051ec0d754SDag-Erling Smørgrav.Pp
18061ec0d754SDag-Erling SmørgravThe default is
1807ca86bcf2SDag-Erling Smørgrav.Cm yes
18081ec0d754SDag-Erling Smørgrav(to send TCP keepalive messages), and the server will notice
18091ec0d754SDag-Erling Smørgravif the network goes down or the client host crashes.
18101ec0d754SDag-Erling SmørgravThis avoids infinitely hanging sessions.
18111ec0d754SDag-Erling Smørgrav.Pp
18121ec0d754SDag-Erling SmørgravTo disable TCP keepalive messages, the value should be set to
1813ca86bcf2SDag-Erling Smørgrav.Cm no .
1814b15c8340SDag-Erling Smørgrav.It Cm TrustedUserCAKeys
1815b15c8340SDag-Erling SmørgravSpecifies a file containing public keys of certificate authorities that are
1816557f75e5SDag-Erling Smørgravtrusted to sign user certificates for authentication, or
1817ca86bcf2SDag-Erling Smørgrav.Cm none
1818557f75e5SDag-Erling Smørgravto not use one.
1819b15c8340SDag-Erling SmørgravKeys are listed one per line; empty lines and comments starting with
1820b15c8340SDag-Erling Smørgrav.Ql #
1821b15c8340SDag-Erling Smørgravare allowed.
1822b15c8340SDag-Erling SmørgravIf a certificate is presented for authentication and has its signing CA key
1823b15c8340SDag-Erling Smørgravlisted in this file, then it may be used for authentication for any user
1824b15c8340SDag-Erling Smørgravlisted in the certificate's principals list.
1825b15c8340SDag-Erling SmørgravNote that certificates that lack a list of principals will not be permitted
1826b15c8340SDag-Erling Smørgravfor authentication using
1827b15c8340SDag-Erling Smørgrav.Cm TrustedUserCAKeys .
1828e4a9863fSDag-Erling SmørgravFor more details on certificates, see the CERTIFICATES section in
1829b15c8340SDag-Erling Smørgrav.Xr ssh-keygen 1 .
1830*f374ba41SEd Maste.It Cm UnusedConnectionTimeout
1831*f374ba41SEd MasteSpecifies whether and how quickly
1832*f374ba41SEd Maste.Xr sshd 8
1833*f374ba41SEd Masteshould close client connections with no open channels.
1834*f374ba41SEd MasteOpen channels include active shell, command execution or subsystem
1835*f374ba41SEd Mastesessions, connected network, socket, agent or X11 forwardings.
1836*f374ba41SEd MasteForwarding listeners, such as those from the
1837*f374ba41SEd Maste.Xr ssh 1
1838*f374ba41SEd Maste.Fl R
1839*f374ba41SEd Masteflag, are not considered as open channels and do not prevent the timeout.
1840*f374ba41SEd MasteThe timeout value
1841*f374ba41SEd Masteis specified in seconds or may use any of the units documented in the
1842*f374ba41SEd Maste.Sx TIME FORMATS
1843*f374ba41SEd Mastesection.
1844*f374ba41SEd Maste.Pp
1845*f374ba41SEd MasteNote that this timeout starts when the client connection completes
1846*f374ba41SEd Masteuser authentication but before the client has an opportunity to open any
1847*f374ba41SEd Mastechannels.
1848*f374ba41SEd MasteCaution should be used when using short timeout values, as they may not
1849*f374ba41SEd Masteprovide sufficient time for the client to request and open its channels
1850*f374ba41SEd Mastebefore terminating the connection.
1851*f374ba41SEd Maste.Pp
1852*f374ba41SEd MasteThe default
1853*f374ba41SEd Maste.Cm none
1854*f374ba41SEd Masteis to never expire connections for having no open channels.
1855*f374ba41SEd MasteThis option may be useful in conjunction with
1856*f374ba41SEd Maste.Cm ChannelTimeout .
1857b2af61ecSKurt Lidl.It Cm UseBlacklist
1858b2af61ecSKurt LidlSpecifies whether
1859b2af61ecSKurt Lidl.Xr sshd 8
1860b2af61ecSKurt Lidlattempts to send authentication success and failure messages
1861b2af61ecSKurt Lidlto the
1862b2af61ecSKurt Lidl.Xr blacklistd 8
1863b2af61ecSKurt Lidldaemon.
1864b2af61ecSKurt LidlThe default is
1865ca86bcf2SDag-Erling Smørgrav.Cm no .
1866e426c743SEd MasteFor forward compatibility with an upcoming
1867e426c743SEd Maste.Xr blacklistd
1868e426c743SEd Masterename, the
1869e426c743SEd Maste.Cm UseBlocklist
1870e426c743SEd Mastealias can be used instead.
1871cf2b5f3bSDag-Erling Smørgrav.It Cm UseDNS
1872cf2b5f3bSDag-Erling SmørgravSpecifies whether
1873333ee039SDag-Erling Smørgrav.Xr sshd 8
1874eccfee6eSDag-Erling Smørgravshould look up the remote host name, and to check that
1875cf2b5f3bSDag-Erling Smørgravthe resolved host name for the remote IP address maps back to the
1876cf2b5f3bSDag-Erling Smørgravvery same IP address.
1877eccfee6eSDag-Erling Smørgrav.Pp
1878eccfee6eSDag-Erling SmørgravIf this option is set to
1879ca86bcf2SDag-Erling Smørgrav.Cm no ,
1880c4cd1fa4SDag-Erling Smørgravthen only addresses and not host names may be used in
1881076ad2f8SDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys
1882eccfee6eSDag-Erling Smørgrav.Cm from
1883eccfee6eSDag-Erling Smørgravand
1884fc1ba28aSDag-Erling Smørgrav.Nm
1885eccfee6eSDag-Erling Smørgrav.Cm Match
1886eccfee6eSDag-Erling Smørgrav.Cm Host
1887eccfee6eSDag-Erling Smørgravdirectives.
1888c4cd1fa4SDag-Erling SmørgravThe default is
1889c4cd1fa4SDag-Erling Smørgrav.Dq yes .
1890cf2b5f3bSDag-Erling Smørgrav.It Cm UsePAM
189121e764dfSDag-Erling SmørgravEnables the Pluggable Authentication Module interface.
189221e764dfSDag-Erling SmørgravIf set to
1893ca86bcf2SDag-Erling Smørgrav.Cm yes
189421e764dfSDag-Erling Smørgravthis will enable PAM authentication using
189519261079SEd Maste.Cm KbdInteractiveAuthentication
1896333ee039SDag-Erling Smørgravand
1897333ee039SDag-Erling Smørgrav.Cm PasswordAuthentication
1898333ee039SDag-Erling Smørgravin addition to PAM account and session module processing for all
1899333ee039SDag-Erling Smørgravauthentication types.
190021e764dfSDag-Erling Smørgrav.Pp
190119261079SEd MasteBecause PAM keyboard-interactive authentication usually serves an equivalent
190221e764dfSDag-Erling Smørgravrole to password authentication, you should disable either
190321e764dfSDag-Erling Smørgrav.Cm PasswordAuthentication
190421e764dfSDag-Erling Smørgravor
190519261079SEd Maste.Cm KbdInteractiveAuthentication .
190621e764dfSDag-Erling Smørgrav.Pp
190721e764dfSDag-Erling SmørgravIf
190821e764dfSDag-Erling Smørgrav.Cm UsePAM
190921e764dfSDag-Erling Smørgravis enabled, you will not be able to run
191021e764dfSDag-Erling Smørgrav.Xr sshd 8
191121e764dfSDag-Erling Smørgravas a non-root user.
191221e764dfSDag-Erling SmørgravThe default is
1913ca86bcf2SDag-Erling Smørgrav.Cm yes .
191435d4ccfbSDag-Erling Smørgrav.It Cm VersionAddendum
1915462c32cbSDag-Erling SmørgravOptionally specifies additional text to append to the SSH protocol banner
1916462c32cbSDag-Erling Smørgravsent by the server upon connection.
1917ee8aeb14SDag-Erling SmørgravThe default is
1918*f374ba41SEd Maste.Qq FreeBSD-20230205 .
19196e571081SBryan DreweryThe value
1920ca86bcf2SDag-Erling Smørgrav.Cm none
19216e571081SBryan Drewerymay be used to disable this.
1922545d5ecaSDag-Erling Smørgrav.It Cm X11DisplayOffset
1923545d5ecaSDag-Erling SmørgravSpecifies the first display number available for
1924333ee039SDag-Erling Smørgrav.Xr sshd 8 Ns 's
1925545d5ecaSDag-Erling SmørgravX11 forwarding.
1926333ee039SDag-Erling SmørgravThis prevents sshd from interfering with real X11 servers.
1927545d5ecaSDag-Erling SmørgravThe default is 10.
1928545d5ecaSDag-Erling Smørgrav.It Cm X11Forwarding
1929545d5ecaSDag-Erling SmørgravSpecifies whether X11 forwarding is permitted.
1930f388f5efSDag-Erling SmørgravThe argument must be
1931ca86bcf2SDag-Erling Smørgrav.Cm yes
1932f388f5efSDag-Erling Smørgravor
1933ca86bcf2SDag-Erling Smørgrav.Cm no .
1934545d5ecaSDag-Erling SmørgravThe default is
1935ca86bcf2SDag-Erling Smørgrav.Cm yes .
1936f388f5efSDag-Erling Smørgrav.Pp
1937f388f5efSDag-Erling SmørgravWhen X11 forwarding is enabled, there may be additional exposure to
1938f388f5efSDag-Erling Smørgravthe server and to client displays if the
1939333ee039SDag-Erling Smørgrav.Xr sshd 8
1940f388f5efSDag-Erling Smørgravproxy display is configured to listen on the wildcard address (see
1941ca86bcf2SDag-Erling Smørgrav.Cm X11UseLocalhost ) ,
1942ca86bcf2SDag-Erling Smørgravthough this is not the default.
1943f388f5efSDag-Erling SmørgravAdditionally, the authentication spoofing and authentication data
1944f388f5efSDag-Erling Smørgravverification and substitution occur on the client side.
1945f388f5efSDag-Erling SmørgravThe security risk of using X11 forwarding is that the client's X11
1946333ee039SDag-Erling Smørgravdisplay server may be exposed to attack when the SSH client requests
1947f388f5efSDag-Erling Smørgravforwarding (see the warnings for
1948f388f5efSDag-Erling Smørgrav.Cm ForwardX11
1949f388f5efSDag-Erling Smørgravin
1950f388f5efSDag-Erling Smørgrav.Xr ssh_config 5 ) .
1951f388f5efSDag-Erling SmørgravA system administrator may have a stance in which they want to
1952f388f5efSDag-Erling Smørgravprotect clients that may expose themselves to attack by unwittingly
1953f388f5efSDag-Erling Smørgravrequesting X11 forwarding, which can warrant a
1954ca86bcf2SDag-Erling Smørgrav.Cm no
1955f388f5efSDag-Erling Smørgravsetting.
1956f388f5efSDag-Erling Smørgrav.Pp
1957f388f5efSDag-Erling SmørgravNote that disabling X11 forwarding does not prevent users from
1958f388f5efSDag-Erling Smørgravforwarding X11 traffic, as users can always install their own forwarders.
1959545d5ecaSDag-Erling Smørgrav.It Cm X11UseLocalhost
1960545d5ecaSDag-Erling SmørgravSpecifies whether
1961333ee039SDag-Erling Smørgrav.Xr sshd 8
1962545d5ecaSDag-Erling Smørgravshould bind the X11 forwarding server to the loopback address or to
1963e73e9afaSDag-Erling Smørgravthe wildcard address.
1964e73e9afaSDag-Erling SmørgravBy default,
1965333ee039SDag-Erling Smørgravsshd binds the forwarding server to the loopback address and sets the
1966545d5ecaSDag-Erling Smørgravhostname part of the
1967545d5ecaSDag-Erling Smørgrav.Ev DISPLAY
1968545d5ecaSDag-Erling Smørgravenvironment variable to
1969ca86bcf2SDag-Erling Smørgrav.Cm localhost .
1970f388f5efSDag-Erling SmørgravThis prevents remote hosts from connecting to the proxy display.
1971545d5ecaSDag-Erling SmørgravHowever, some older X11 clients may not function with this
1972545d5ecaSDag-Erling Smørgravconfiguration.
1973545d5ecaSDag-Erling Smørgrav.Cm X11UseLocalhost
1974545d5ecaSDag-Erling Smørgravmay be set to
1975ca86bcf2SDag-Erling Smørgrav.Cm no
1976545d5ecaSDag-Erling Smørgravto specify that the forwarding server should be bound to the wildcard
1977545d5ecaSDag-Erling Smørgravaddress.
1978545d5ecaSDag-Erling SmørgravThe argument must be
1979ca86bcf2SDag-Erling Smørgrav.Cm yes
1980545d5ecaSDag-Erling Smørgravor
1981ca86bcf2SDag-Erling Smørgrav.Cm no .
1982545d5ecaSDag-Erling SmørgravThe default is
1983ca86bcf2SDag-Erling Smørgrav.Cm yes .
1984545d5ecaSDag-Erling Smørgrav.It Cm XAuthLocation
1985f388f5efSDag-Erling SmørgravSpecifies the full pathname of the
1986545d5ecaSDag-Erling Smørgrav.Xr xauth 1
1987557f75e5SDag-Erling Smørgravprogram, or
1988ca86bcf2SDag-Erling Smørgrav.Cm none
1989557f75e5SDag-Erling Smørgravto not use one.
1990545d5ecaSDag-Erling SmørgravThe default is
1991ffea3f5aSDag-Erling Smørgrav.Pa /usr/local/bin/xauth .
1992545d5ecaSDag-Erling Smørgrav.El
1993333ee039SDag-Erling Smørgrav.Sh TIME FORMATS
1994333ee039SDag-Erling Smørgrav.Xr sshd 8
1995545d5ecaSDag-Erling Smørgravcommand-line arguments and configuration file options that specify time
1996545d5ecaSDag-Erling Smørgravmay be expressed using a sequence of the form:
1997545d5ecaSDag-Erling Smørgrav.Sm off
1998f388f5efSDag-Erling Smørgrav.Ar time Op Ar qualifier ,
1999545d5ecaSDag-Erling Smørgrav.Sm on
2000545d5ecaSDag-Erling Smørgravwhere
2001545d5ecaSDag-Erling Smørgrav.Ar time
2002545d5ecaSDag-Erling Smørgravis a positive integer value and
2003545d5ecaSDag-Erling Smørgrav.Ar qualifier
2004545d5ecaSDag-Erling Smørgravis one of the following:
2005545d5ecaSDag-Erling Smørgrav.Pp
2006545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds -compact -offset indent
2007333ee039SDag-Erling Smørgrav.It Aq Cm none
2008545d5ecaSDag-Erling Smørgravseconds
2009545d5ecaSDag-Erling Smørgrav.It Cm s | Cm S
2010545d5ecaSDag-Erling Smørgravseconds
2011545d5ecaSDag-Erling Smørgrav.It Cm m | Cm M
2012545d5ecaSDag-Erling Smørgravminutes
2013545d5ecaSDag-Erling Smørgrav.It Cm h | Cm H
2014545d5ecaSDag-Erling Smørgravhours
2015545d5ecaSDag-Erling Smørgrav.It Cm d | Cm D
2016545d5ecaSDag-Erling Smørgravdays
2017545d5ecaSDag-Erling Smørgrav.It Cm w | Cm W
2018545d5ecaSDag-Erling Smørgravweeks
2019545d5ecaSDag-Erling Smørgrav.El
2020545d5ecaSDag-Erling Smørgrav.Pp
2021545d5ecaSDag-Erling SmørgravEach member of the sequence is added together to calculate
2022545d5ecaSDag-Erling Smørgravthe total time value.
2023545d5ecaSDag-Erling Smørgrav.Pp
2024545d5ecaSDag-Erling SmørgravTime format examples:
2025545d5ecaSDag-Erling Smørgrav.Pp
2026545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds -compact -offset indent
2027545d5ecaSDag-Erling Smørgrav.It 600
2028545d5ecaSDag-Erling Smørgrav600 seconds (10 minutes)
2029545d5ecaSDag-Erling Smørgrav.It 10m
2030545d5ecaSDag-Erling Smørgrav10 minutes
2031545d5ecaSDag-Erling Smørgrav.It 1h30m
2032545d5ecaSDag-Erling Smørgrav1 hour 30 minutes (90 minutes)
2033545d5ecaSDag-Erling Smørgrav.El
2034ca86bcf2SDag-Erling Smørgrav.Sh TOKENS
2035ca86bcf2SDag-Erling SmørgravArguments to some keywords can make use of tokens,
2036ca86bcf2SDag-Erling Smørgravwhich are expanded at runtime:
2037ca86bcf2SDag-Erling Smørgrav.Pp
2038ca86bcf2SDag-Erling Smørgrav.Bl -tag -width XXXX -offset indent -compact
2039ca86bcf2SDag-Erling Smørgrav.It %%
2040ca86bcf2SDag-Erling SmørgravA literal
2041ca86bcf2SDag-Erling Smørgrav.Sq % .
204247dd1d1bSDag-Erling Smørgrav.It \&%D
204347dd1d1bSDag-Erling SmørgravThe routing domain in which the incoming connection was received.
2044ca86bcf2SDag-Erling Smørgrav.It %F
2045ca86bcf2SDag-Erling SmørgravThe fingerprint of the CA key.
2046ca86bcf2SDag-Erling Smørgrav.It %f
2047ca86bcf2SDag-Erling SmørgravThe fingerprint of the key or certificate.
2048ca86bcf2SDag-Erling Smørgrav.It %h
2049ca86bcf2SDag-Erling SmørgravThe home directory of the user.
2050ca86bcf2SDag-Erling Smørgrav.It %i
2051ca86bcf2SDag-Erling SmørgravThe key ID in the certificate.
2052ca86bcf2SDag-Erling Smørgrav.It %K
2053ca86bcf2SDag-Erling SmørgravThe base64-encoded CA key.
2054ca86bcf2SDag-Erling Smørgrav.It %k
2055ca86bcf2SDag-Erling SmørgravThe base64-encoded key or certificate for authentication.
2056ca86bcf2SDag-Erling Smørgrav.It %s
2057ca86bcf2SDag-Erling SmørgravThe serial number of the certificate.
2058ca86bcf2SDag-Erling Smørgrav.It \&%T
2059ca86bcf2SDag-Erling SmørgravThe type of the CA key.
2060ca86bcf2SDag-Erling Smørgrav.It %t
2061ca86bcf2SDag-Erling SmørgravThe key or certificate type.
2062190cef3dSDag-Erling Smørgrav.It \&%U
2063190cef3dSDag-Erling SmørgravThe numeric user ID of the target user.
2064ca86bcf2SDag-Erling Smørgrav.It %u
2065ca86bcf2SDag-Erling SmørgravThe username.
2066ca86bcf2SDag-Erling Smørgrav.El
2067ca86bcf2SDag-Erling Smørgrav.Pp
2068ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand
2069190cef3dSDag-Erling Smørgravaccepts the tokens %%, %f, %h, %k, %t, %U, and %u.
2070ca86bcf2SDag-Erling Smørgrav.Pp
2071ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysFile
2072190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u.
2073ca86bcf2SDag-Erling Smørgrav.Pp
2074ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand
2075190cef3dSDag-Erling Smørgravaccepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u.
2076ca86bcf2SDag-Erling Smørgrav.Pp
2077ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile
2078190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u.
2079ca86bcf2SDag-Erling Smørgrav.Pp
2080ca86bcf2SDag-Erling Smørgrav.Cm ChrootDirectory
2081190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u.
208247dd1d1bSDag-Erling Smørgrav.Pp
208347dd1d1bSDag-Erling Smørgrav.Cm RoutingDomain
208447dd1d1bSDag-Erling Smørgravaccepts the token %D.
2085545d5ecaSDag-Erling Smørgrav.Sh FILES
2086545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds
2087545d5ecaSDag-Erling Smørgrav.It Pa /etc/ssh/sshd_config
2088545d5ecaSDag-Erling SmørgravContains configuration data for
2089333ee039SDag-Erling Smørgrav.Xr sshd 8 .
2090545d5ecaSDag-Erling SmørgravThis file should be writable by root only, but it is recommended
2091545d5ecaSDag-Erling Smørgrav(though not necessary) that it be world-readable.
2092545d5ecaSDag-Erling Smørgrav.El
2093cf2b5f3bSDag-Erling Smørgrav.Sh SEE ALSO
2094ca86bcf2SDag-Erling Smørgrav.Xr sftp-server 8 ,
2095cf2b5f3bSDag-Erling Smørgrav.Xr sshd 8
2096545d5ecaSDag-Erling Smørgrav.Sh AUTHORS
2097ca86bcf2SDag-Erling Smørgrav.An -nosplit
2098545d5ecaSDag-Erling SmørgravOpenSSH is a derivative of the original and free
2099ca86bcf2SDag-Erling Smørgravssh 1.2.12 release by
2100ca86bcf2SDag-Erling Smørgrav.An Tatu Ylonen .
2101ca86bcf2SDag-Erling Smørgrav.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos ,
2102ca86bcf2SDag-Erling Smørgrav.An Theo de Raadt
2103ca86bcf2SDag-Erling Smørgravand
2104ca86bcf2SDag-Erling Smørgrav.An Dug Song
2105545d5ecaSDag-Erling Smørgravremoved many bugs, re-added newer features and
2106545d5ecaSDag-Erling Smørgravcreated OpenSSH.
2107ca86bcf2SDag-Erling Smørgrav.An Markus Friedl
2108ca86bcf2SDag-Erling Smørgravcontributed the support for SSH protocol versions 1.5 and 2.0.
2109ca86bcf2SDag-Erling Smørgrav.An Niels Provos
2110ca86bcf2SDag-Erling Smørgravand
2111ca86bcf2SDag-Erling Smørgrav.An Markus Friedl
2112ca86bcf2SDag-Erling Smørgravcontributed support for privilege separation.
2113